Red Balloon Security
- Ang Cui, CEO of security firm Red Balloon, specialises in trying to make embedded systems more secure.
- Back in 2017, his company published an exploit that showed how hackers could control what pixels you see on your PC monitor, potentially causing havoc.
- Computer security is, for most people, a pretty niche subject but the real exploit ended up being a plot point on Amazon Prime’s "Mr. Robot."
- Cui talked to Business Insider about popping up on a popular TV show and said he only realised when the firm’s GitHub page was flooded with comments.
The average TV showrunner probably doesn’t spend a lot of time browsing GitHub, the code repository beloved by developers and security researchers.
That doesn’t apply to the creators behind "Mr. Robot," the hit Amazon Prime show that is wildly popular with techies thanks to its technical accuracy.
The show stars Remi Malek as Elliot Alderson, a security researcher beset by paranoid delusions and visions, and revolves around his exploits as part of the (fictional) underground hacking group fsociety.
The show’s writer and researcher, Kor Adana, and creator, Sam Esmail, incorporate real exploits and homages to hacker culture, and are known for dropping Easter eggs through episodes to set Reddit alight.
"When these episodes air, I don’t watch the episodes, I keep my eye on Reddit and Twitter and see what people are saying about it," Kor Adana told Wired in 2016.
Adana and Esmail’s attention to detail meant 15 minutes of fame for one real-world security expert and his company, whose exploit was incorporated into Mr. Robot’s third series in 2017.
A warning: some slight spoilers for the third series follow.
In "Mr. Robot’s" third series, the main character Elliot Alderson – played by the now Oscar-winning actor Rami Malek — is being monitored by the FBI, who can see everything he’s doing on his computer. It’s not made clear in the show how Alderson, himself a talented hacker, could have been compromised in this way.
But for anyone looking closely, filenames and emails that flash up briefly onscreen make references to "Monitor Darkly" — the name of a real-world exploit published by the security firm Red Balloon in 2016.
Ang Cui, CEO of Red Balloon Security, focuses on security within embedded devices. Embedded devices basically refer to anything that contains a small computer that runs on its own dedicated software — MP3 players, dishwashers, and even hospital equipment can count as embedded systems. The term doesn’t really refer to laptops or desktop computers.
In this case, Red Balloon looked into PC monitors, which contain processors to determine what pixels you see on screen.
"There’s a small computer inside the monitor itself," Cui explained to Business Insider. "It’s a general-purposes embedded computer. It runs on an operating system that very few people on the planet know about, or are aware is inside this thing. It not only controls how the monitor displays pixels, it also sees every pixel that’s being shown."
For a hacker that wants to freak out a computer user, this provides an easier-than-usual route to do it.
"If I wanted to come and hack you, I could compromise your browser, I could go through the computer, the network, and try and compromise billions of dollars of research and development that puts the SSL lock on your banking site," Cui said. "Or, I can do code execution inside the monitor and flip those pixels."
The upshot is that a hacker could make manipulate the images on your monitor to make it appear like you had no money in your bank account. At its most extreme, the hack could cause havoc at a nuclear power plant since highly sensitive places also rely on embedded systems.
"We had a demo where we changed the red light to a green light for an industrial control system," Cui said.
That could trick a human into disabling core equipment like a centrifuge."You wouldn’t need to take down a centrifuge, you could just get a human to do it for you," he added.
Cui and his team found that no monitor was immune to the attack. They worked with monitor makers like Dell to fix the problem, and published the exploit on GitHub where, presumably, it was spotted by the "Mr. Robot" writers.
"There was nothing for a year, and then suddenly hundreds of comments on our GitHub repo [repository]," said Cui. "They actually built the link to our GitHub into the show, a bunch of people found it, and it pointed to the actual code and presentation we did."
In perhaps typical "Mr. Robot" style, no one actually told Red Balloon what had happened — they just worked it out from all the inbound comments and links. "They never really told us," Cui said.
The writers didn’t make it easy to find that particular Easter egg either. Here’s one enterprising YouTuber going through the steps of finding the references in the show, then going through a bunch of steps to unlock a QR code that leads to Red Balloon’s GitHub repository:
- 11 things unsuccessful people do over the weekend
- Tiger Woods is back — here’s how he spends his millions and lives his life off the course
- More than 6,100 stores are closing in 2019 as the retail apocalypse drags on — here’s the full list