More and more hacker scenes are popping up on screens, but how realistic are they? Keren Elazari, a world-renowned cybersecurity analyst and white hacker, decided to rate cyber episodes from popular movies and TV shows. She knows how everything should be because she has been working in cybersecurity for over 25 years and is the founder of Israel’s largest hacker community BSidesTLV, as well as Leading Cyber Ladies. So, buy popcorn, because after this article you’ll want to review a couple of movies.
- 007: Skyfall Coordinates (2012). Rating: 3/10
Wow, the hero connects someone else’s laptop to a shared system, and yes, in an open space where other professionals are working. I wouldn’t do that – it’s a sign of poor operating security (OPSEC). There could be traps in the device. If I had such a computer, I would run it through a scanner before I started work. When we bring a device in for digital forensics, we usually open it up in the lab, not in the middle of our agency’s office.
All the visualization in the scene is unrealistic – we don’t see that kind of 3D animation when we open the file. The moment in which the specialist obfuscates his code and malware is quite good. Malware authors often do this.
Now we see polymorphic code on the screen, particularly in malware, and a hex version of the code. „Hex“ means hexadecimal. Usually, you only see 16 characters. From 0 to 9, A to F. You don’t see G, R, O like you see here. There’s also a code that looks like a map, beautiful, shaped, and that’s not how it works.
Rated 3 out of 10 because they did introduce some actual, real terms like malware, polymorphism, and code obfuscation, but that’s where the realism ends, unfortunately.
- Ocean’s Eight (2018). Rating: 7/10.
In this scene, we see Rihanna, playing the role of a hacker, using open-source intelligence for her plan. That is what is called targeted phishing (spear phishing). This attack targets a specific person. Cybercriminals use a targeted technique to trick you into believing that you have received an email from someone you know asking for your information. The subject can be a person or any organization.
Some attacks give the attacker control of your webcam, and he can even turn it on, and you won’t know it’s on. But it usually requires a little bit more time and action on the part of the victim. For example, to run an application, to install some files. The movie shows everything very quickly.
Next comes a scene in which a device is used that can pick up the password to a computer without being connected to it. That is impossible. Yes, the intelligence services can use something like that in the real world, but they would need physical access to connect with a cable to the target device. In the movie, the „box“ breaks a 12-character password, and it has not only numbers but the upper case, lower case, and special characters. A password of this complexity requires about 94 to the power of 12 different possible combinations. It is a very long number, trust me.
- The Matrix Reloaded. Rating: 9.5/10
I think it was a turning point when Hollywood started showing realistic hacking attacks. So, we see that Trinity uses Nmap, a network scanning and mapping tool that hackers use all the time. We also see that it uses something called SSH Nuke. SSH is an application layer networking protocol that allows remote control of the operating system. According to the movie, the heroine attacks SSH and uses a certain vulnerability to break in. A month before the movie started, this loophole was discovered in real life. In my opinion, it’s very cool that they used it.
The only small element that isn’t very realistic here is that it resets the password. If Trinity successfully exploits this vulnerability, she gets root privileges, so she doesn’t have to reset the password.
Another nuance is the gloves. There is no way she can break into the system this way and not make a bunch of typos. All hackers know that you need fingerless gloves to type fast.
- The Girl with the Dragon Tattoo (2011). Rating: 10/10
So, Elizabeth is doing the prep work here. She tracks down her target, observes her, and hears the code typed on the keyboard. To me it sounds like 1,2,1,1,2. Imagine it’s not that hard to figure out what different numbers sound like if you train your ears.
The heroine sneaks inside the building and takes pictures so she can figure out what equipment is installed, what router, what type of communications in that apartment building. Then she acquires a special device from one of her fellow hackers. I think that’s pretty realistic.
The device itself, it’s hard to say exactly what it is. We can see that it’s a Nokia. It could be a reference to the Nokia N900, which in hacker circles was known as the pwn phone. It was a phone that was used mainly for hacking wireless networks.
The device she uses in the movie is a bit exaggerated. You can see that it can be connected to an Ethernet network, and it has room for a SIM card. That is, you insert the SIM card, connect to the cellular network, and plug it in. In real life, these things are disguised as air fresheners, for example. And if I were doing a security audit, I’d sneak in as Elizabeth does. Then plug it in, use another connection to essentially, from my remote hacker hideout, do the rest of the business.
- War Games (1983). Rating: 10/10
A very realistic scene where the girl firstly looks for a piece of paper on which passwords might be written down. I used to do that myself. You would be surprised, but not only do people write down passwords on pieces of paper and put them near their devices, but they also reuse the same password many times over. Hackers use this loophole all the time. They also examine your social networking posts, photos, looking for clues.
- Star Trek: Discovery. S2E8 (2019). Rating: 1/10
„The probe used multiple SQL injections, but I’ve yet to find any compromised files,“ when I heard that sentence, I was horrified and turned off the TV that second.
To think that a space probe in the future would inject SQL code to attack a Federation ship. So, SQL injection is what hackers use these days. You count on the SQL server to do whatever you type. And that sounds ironic to me because SQL was first created in the 1960s or 1970s.
- Silicon Valley. S4E9 (2017). Rating: 10/10.
This scene is very realistic. The characters even use a real device, a Wi-Fi Pineapple made by Hak5. I have a Wi-Fi Pineapple Nano here – a scaled-down version of the routers they used in this episode. It’s designed very sleekly, so you can carry it in your backpack, and no one will know about it. So any phones and computers in the vicinity of such a device will connect to it, not to a legitimate access point. Trust me people won’t be able to tell the difference.
The second part of the hack is also realistic. They use control over the Wi-Fi to direct people to a fake website and make them download a fake version of the app.
- Jason Bourne (2016). Rating: 6/10
I doubt very much that the CIA has servers available over the Internet. While everything is on this server, all the files are organized very neatly in folders with the names of all the secret projects. That may seem unrealistic, but a year after this movie came out, we saw something called „Vault 7,“ which WikiLeaks was talking about, which was a real leak from the CIA. And they had a lot of covert operations, including hacking tools, organized in files and folders like these.
That is unlike any security monitoring tool I know. However, Nicky is probably using a backdoor that someone has already set up from inside the CIA. So, Nicky’s computer sends packets to certain ports on the CIA computer, and after the right sequence, the CIA computer takes this as a secret handshake and opens a connection from inside the CIA to Nicky’s computer. It’s a realistic possibility.
It’s great that the CIA instantly recognizes this location of the hackers, but to knock out the electricity in the building seems not so realistic. You know, that’s not the kind of ability that an intelligence agency would brag about – the ability to remotely shut off the power in a particular building. When hackers hacked into the power system in Kyiv, Ukraine, in 2015 and then again in 2017, they shut off power in parts of the city, and it took them months to orchestrate that hack. I’m not sure it’s realistic to do it in such a targeted way, concerning one house in particular.
On the screen, we see IP addresses that don’t exist in real life. For example, an IP address that starts with 300. So, IP addresses consist of four octets, four segments. Each octet consists of three digits. The digits, of course, can be zero. So it can be anything from zero to 255. If you see an IP address in the movies that starts with 256, that’s fiction. It doesn’t exist in the real world.
- Hackers (1995). Rating: 8/10
So, Hackers is my all-time favorite movie. It was because of it that I decided to become a hacker. That is what it looks like when someone analyzes a piece of code. A whole night goes by, not a couple of minutes. There are other people around, and they’re, you know, eating cold pizza, drinking warm energy drinks. This is the hacker menu I grew up on myself.
On the screen, we see the hexadecimal code on the left, and on the right are the ASCII characters, or the financial transactions that the hexadecimal code represents in Ellingson Corporation computer systems. So it’s pretty realistic. The antagonist uses the Da Vinci virus. They have created a very dangerous virus that threatens to sink Ellingson Mineral Corporation’s oil tankers if it is not paid a million dollars. Mind you, this is the first time a ransomware program has been shown in Hollywood. Before that, encryption viruses as such did not exist. Today we see many such attacks where criminals take over a computer system and demand payment to decrypt files and regain access to the systems. So even though the movie wasn’t exactly accurate in the 90s, I think it did predict the future. I’ll take two points off just because we’re not shown the programming code.