SecureState Blog

Read SecureState's award winning blog.

Does the show get anything right?

Given the relative inaccuracies of the CSI franchise as a whole and how Hollywood regularly fails to tackle hackers with any sort of realism, it should surprise nobody that the new CSI show, CSI:Cyber, plays fast and loose with realistic hacking. The question we all had going in was just how inaccurate it would all be. The answer is, for the most part, completely inaccurate. Below is our take on the first episode.

CSI-Cyber-Logo

The Premise

The premise of the show’s premiere episode revolved around the use of cloud-enabled webcams and baby monitors. As a place to start, the problems of these cameras are certainly a real issue, as these cameras are a definite security problem. Last November, a Russian website gathered links to insecure cameras from the internet, eventually compiling over 73,000 cameras with only default credentials in place on them, which could be viewed easily by anyone with an internet connection. There has been evidence that hackers have broken into wireless baby monitors, taunting children and their parents.

However, like so many of these shows, the accuracy goes out the window as soon as they begin expanding on the premise. In this episode of CSI:Cyber, hackers are being paid by a Russian kidnapping group to attack baby monitors to track the movements of the parents, to find out when they are not with the kids and kidnap the babies. This kind of extrapolation on security issues only serves to make people more afraid, instead of working to address the problem at hand. In the care of the website gathering links to the cameras, it was specifically due to these cameras using default credentials, a problem that could be easily solved by people using secure passphrases instead of the credentials that come pre-installed on the device. Similarly, the odds that any sort of kindnapping group is going to go to the trouble of hacking the baby monitors instead of just watching parents and kids is a bit far-fetched, nevermind that these kinds of groups are not particularly common to begin with.

The Details

Where CSI:Cyber really gets tripped up is in the details. Anyone watching the show with even the slightest knowledge of cyber security will notice some common problems for these kinds of shows and movies, but this show seems to go out of its way to find new ways to ridiculously distort how cyber security experts deal with attacks.

Malware

CSI:Cyber knows that malware exists, but that is about close to accurate as it gets in this area. Agents on the show are able to detect if a device has any malware on it at all almost instantly, without any of the real world investigations that might take hours to detect the malicious software, especially if it is new or at all well-designed. At one point in the episode, the FBI team is able to reverse engineer a piece of malware in about 30 seconds. In the real world, such an effort could take days, and even then might not understand the malware as well as they do in this show. However, the show makes understanding malicious code even easier by having it show up in a different color than normal code. Well, I guess that could explain why it was so easy to detect.

Passwords

At one point in the show, a 20 character long password is broken on the first guess. This is just plain ridiculous.

How Hacking Looks

As with so many other pieces of media, the creators of CSI: Cyber can’t help but visually spice up the actual hacking taking place on the show. In the real world, hacking is almost exclusively done from command prompts, text based interfaces that nobody would find visually appealing on screen.  On CSI: Cyber, this type of hacking was clearly deemed not interesting enough, so various visual embellishments are used constantly.

What Does It Get Right?

Interestingly, the show gets a few things right. The agents are able to track down information on the suspect using information found on social media, which is a common method of finding information know as Open Source Intelligence (or OSINT for short). OSINT consists of the information on a person or company that can be tracked down easily using social media, search engines, and just sniffing around the internet. Many people and organizations have much more data available about them on the internet than they might think, and often both attackers and security experts will leverage this OSINT. In the realm of police shows, this is basic detective work, just done on the internet.

Though the show goes to some ridiculous places with it, the core idea of insecure cameras is, as discussed above, relatively accurate. As more and more devices gain internet connectivity, more security issues arise. These devices are more vulnerable to malicious attacks, which could potentially leave victims exposed in unanticipated ways. Always be certain to create unique usernames and passwords for any of these devices as soon as you can, for your own protection.