Yeah, when the show came out it was very well regarded as being pretty accurate.
Obviously it’s a TV show, but most of the hacks were real or based on real hacks and techniques. From what I recall most of the hacks were social engineering (dropping the USB drives trying to get someone to plug them in, using physical access to install a raspberry-pi on the network, etc.).
Realistically, I think that raspberry-pi would be found pretty quickly today. And those USB sticks would probably now trigger a visit from IT (everything you do on your corporate computer is logged. If you plug in a USB stick your admins can/will know about it, I had a friend who’s employer threatened to sue them because they downloaded personal documents off their computer using a USB, and the employer threatened to sue them over stealing trade secrets, which sounds dumb, but it was basically blackmail to try and stop him from getting another job).
In regards to the Pi, I worked for a bank until recently that absolutely would not have discovered it. I was dealing with IAM, not network security, but the guys who were were drowning and the structures were not in place to automatically flag this, so I’m pretty sure it’d just live on…
I think outside of big, solid corporate and very tech-heavy smaller firms, this kind of approach would rarely be discovered.
Trying to remember a bit more of it, but wasn’t the usb stick a rubber ducky? I mean it could possibly trigger some alarms, but to note that I don’t think it would register as a flash drive. In short you can program them and make them appear to the computer however you want. (IE it could appear as a keyboard, and rather than copying a file from storage, and rather than copying a script off of itself, it could say open cmd or powershell and effectively run the commands itself (as if they are being typed really fast, rather than actually a script). Companies typically don’t log keyboards being plugged in.
IIRC, there was a plot where Elliot needed to break his drug dealer out of jail, and they left USB sticks in the parking lot of the police station, but when the cop plugged it in, it was obvious that it was malicious (command prompt pop up) because they didn’t have time to make it hidden, so that thread didn’t end up working out.
Yeah, when the show came out it was very well regarded as being pretty accurate.
Obviously it’s a TV show, but most of the hacks were real or based on real hacks and techniques. From what I recall most of the hacks were social engineering (dropping the USB drives trying to get someone to plug them in, using physical access to install a raspberry-pi on the network, etc.).
Realistically, I think that raspberry-pi would be found pretty quickly today. And those USB sticks would probably now trigger a visit from IT (everything you do on your corporate computer is logged. If you plug in a USB stick your admins can/will know about it, I had a friend who’s employer threatened to sue them because they downloaded personal documents off their computer using a USB, and the employer threatened to sue them over stealing trade secrets, which sounds dumb, but it was basically blackmail to try and stop him from getting another job).
In regards to the Pi, I worked for a bank until recently that absolutely would not have discovered it. I was dealing with IAM, not network security, but the guys who were were drowning and the structures were not in place to automatically flag this, so I’m pretty sure it’d just live on… I think outside of big, solid corporate and very tech-heavy smaller firms, this kind of approach would rarely be discovered.
Trying to remember a bit more of it, but wasn’t the usb stick a rubber ducky? I mean it could possibly trigger some alarms, but to note that I don’t think it would register as a flash drive. In short you can program them and make them appear to the computer however you want. (IE it could appear as a keyboard, and rather than copying a file from storage, and rather than copying a script off of itself, it could say open cmd or powershell and effectively run the commands itself (as if they are being typed really fast, rather than actually a script). Companies typically don’t log keyboards being plugged in.
IIRC, there was a plot where Elliot needed to break his drug dealer out of jail, and they left USB sticks in the parking lot of the police station, but when the cop plugged it in, it was obvious that it was malicious (command prompt pop up) because they didn’t have time to make it hidden, so that thread didn’t end up working out.
I pentest regularly and people plug those usb drives in, devices get ignored.