Real cybersecurity is not as easy as Hollywood makes it look
“I’ll just synchronize these firewall settings and bypass the encryption and we’ll be inside the system in a few seconds.” Words like these cause cybersecurity professionals (and others in IT) to cringe, but they occur all the time on television and in movies. It seems that whenever the subject turns to hacking or computer security, the cyberwizards of Hollywood are able to achieve their goals with a few simple clicks of the mouse. These far-fetched scenarios make real security experts shake their heads and wonder whether the producers even bothered to consult an actual security expert before writing their script.
Clearly, the entertainment industry needs to dress up the work of security professionals before trying to portray it on the big screen. After all, nobody wants to watch a network engineer carefully crafting firewall rules, or a cryptanalyst running a brute force attack against an encrypted file for days at a time. That said, don’t you wish that, just once in a while, they’d take the time needed to get the basic facts correct, and introduce a slightly more realistic view of hacking and cybersecurity? Let’s take a look at some of the most common mistaken portrayals of cybersecurity in the media.
Ease of Hacking Secure Government Systems
Perhaps the most astonishing feat achieved by hackers on television is their ability to quickly penetrate secure government systems and browse them with abandon. In almost every episode of the CBS military crime drama NCIS, for example, Agent Timothy McGee and technical specialist Abby Sciuto achieve hacking feats that make eyes roll in the living rooms of cybersecurity professionals around the world. If the team gets stumped on a case and requires access to classified information at the FBI or NSA, Leroy Jethro Gibbs simply looks in the direction of McGee or Sciuto. Whoever it is responds with a crisp, “On it, boss,” taps away at the keyboard for a few seconds, and quickly gains illicit access to the other agency’s network.
Of course, a scenario like this couldn’t happen in real life. Sensitive systems are on secure networks and are unreachable over public networks without the use of VPNs, multifactor authentication and other security controls — if they even provide remote access at all. Even if NCIS agents were able to penetrate the secure databases of other government agencies, it’s likely that intrusion detection systems would notice the attack, bringing down a world of bureaucratic hurt on the rogue investigators.
Accessing Isolated Systems
It’s also clear that television producers were never schooled in the fine art of network segmentation and isolated systems. The producers of Madam Secretary fell victim to this knowledge gap when they started off this season with the electronic hijacking of Air Force One by a mysterious hacker known as Dash. On a return flight to Washington from overseas, the hacker assumes control of the aircraft and severs all communications with U.S. officials, prompting the activation of continuity of government plans, and the swearing in of Secretary of State Elizabeth McCord (Tea Leoni) as President of the United States.
While government systems are notorious for security flaws and missing critical controls, you’d better believe that the security of Air Force One is extremely high on the list of Secret Service priorities. It’s highly unlikely that an attacker would be able to assume remote control of the aircraft without gaining physical access to the actual (highly guarded) aircraft.
While it’s true that a security researcher was recently accused of gaining similar access to the navigation system on a commercial flight, there were two major differences in that case. First, the researcher was sitting on the plane and used the in-flight entertainment system to gain access to other systems on the aircraft. Second, the flight in questions was not on the most highly guarded and well-secured aircraft in the world!
Invalid IP Addresses and Ports
Just about every time a Hollywood cybersecurity whiz sits down at a command prompt, he or she starts rapidly typing and scrolling information that resembles real Linux commands. In fact, many of them are real commands designed to generate meaningless output that the analyst points to as he or she explains a stunning conclusion. There’s one consistently fatal flaw however — they often show IP addresses that are not only incorrect because they’re not from actual systems, they’re actually impossible because they contain values that wouldn’t fit within the bits allocated for an IP address.
It’s understandable that producers wouldn’t want to display a real IP address on a television show. After all, someone might own that address in real life and the show wouldn’t want to direct actual hacking attempts at an innocent target. But, please, don’t offend us by insinuating that you can put a value greater than 255 into a field supported by eight binary bits. It’s not possible.
Instead, why not just use one of the many private non-routable IP address spaces reserved for use on any network around the world. The 192.168.0.0/16 and 10.0.0.0/8 networks are perfect choices for producers ginning up fake content. The added bonus? If they’re using a system connected to an internal network, it probably already has one of those addresses!
Decrypting Sensitive Information
Defeating encryption is incredibly difficult everywhere except on television or in the movies. In the real world, smartphones, laptops and other systems all provide extremely easy access to sophisticated encryption algorithms, such as the Advanced Encryption Standard (AES). An attacker trying to defeat this technology would have a much better chance of finding a needle in a haystack, but producers don’t let that deter them. Cybersleuths often grimace that a computer or file uses encryption technology but then, a scene or two later, have managed to defeat that encryption and gain access, just in the nick of time. That just doesn’t happen in real life.
The worst part? The actual decryption process is visually boring and not suitable for high drama television shows. Rather than just showing the simple command line that security professionals know is the real deal, producers invent a magical process that spins letters around on the screen until the secret message is revealed, one character at a time. Come on folks. Even people who aren’t IT professionals, know it doesn’t work that way.
Facial Recognition in Seconds
When investigators come across security camera footage of an unknown suspect, they often stare at the screen for a few minutes, zoom in real close, and wonder who might be the grainy-faced character wearing a baseball cap. Then along comes Abby Scuito, or one of her TV/movie counterparts. She taps a few keys on the keyboard, transforming the grainy face into a high resolution image and then runs it through a magical biometric database containing the faces of every known person in the world. A few seconds later, she excitedly reports to Gibbs that she “has a match!” and provides the identity of the suspect.
Besides the obvious fact that these searches use enhancement technology that doesn’t seem to exist in the real world — to perform searches against the sort of ridiculously comprehensive database that would explode the heads of privacy advocate, no less — there’s another fatal flaw to these depictions. Facial recognition is difficult and results in many false positive matches. Anyone who’s used the facial recognition features of photo organizing software knows this well. Running a grainy photo against a database of all known individuals in the world would likely result in thousands, if not millions, of matches that would then require manual verification.
Getting the Details Right
Hollywood doesn’t always get the details wrong, however. Once in a while, they manage to produce a show or movie that contains some accurate depictions of real-world cybersecurity. Reaching back into the vaults, the 1983 film WarGames starring Matthew Broderick began with a pretty accurate depiction of wardialing using an old acoustic modem. Hats off to this favorite classic hacker flick.
If you’ve watched the show CSI: Cyber, then you know that they also include some cringe-worthy depictions of security. What you might not know, however, is that they also sometimes give a hat-tip to the real world. In an episode on car hacking, they not only incorporated information about realistic security vulnerabilities, they also included cameo appearances by two well-known (well, at least they’re well known to car hacking geeks!) security experts: Charlie Miller and Chris Valasek.
Here’s the call to action for Hollywood: take cybersecurity seriously. We’re involved in an intriguing and interesting profession. The next time you’re thinking about including a hacking scene in a show or film, give us a call. We’d be happy to help you get it right — and still be entertaining!