In the movies, technology is often depicted as a deus ex machina, a convenience for the writer to instantly solve a problem. It’s common for writers to stretch the truth a little bit, in order to facilitate flow or continuity, but with technology, writers can sometimes imbue nearly magical qualities. Rightly so, as Arthur C. Clarke stated, “Any sufficiently advanced technology is indistinguishable from magic“.
And sometimes, the writers just plain get it wrong.
Worse, sometimes, the incorrect depiction is MORE appealing than the real-world functionalities and capabilities, leading to the creation of a mythology that gets propagated until the myth itself is part of pop-culture folklore.
Here are some examples of movie tech myths run amok.
1. Phone Myths
Because they are all interconnected via mysterious “packet-switched global communication networks”, phones are a great source of tech myths!
Phreaking is the practice of hacking the phone system, usually for the purpose of making free phone calls or getting free long distance.
In the 1960’s and 1970’s, phone switches used the tones from a touch-tone phone for routing calls, and for switch-to-switch signalling (known as trunking). By emulating tones generated by phones and switches, it was possible to fool the switches in to routing calls. Phreakers also used tricks such as shorting to ground, to simulate coins being inserted in to a pay phone, and using special, undocumented numbers for diagnostics or to access special administrative or routing functions.
By the 1980’s, most telephone switches were either digital (and no longer operated using these principles), or included countermeasures for these simple hacks.
When you see someone in the movies whistling in to a phone, that is a specific reference to a real person known as “Whistler”, who grew up in the 60’s and 70’s, and was known to have perfect pitch – the ability to recognize and reproduce specific tones, simply by whistling.
Unlike what you frequently see in movies, neither his unique ability nor any combination of mechanical whistles, harmonicas or other devices would have done him very much good from the 80’s onward. On the newer phone switches, “auto dialers”, devices that generate sequences of tones, could still be used to originate legitimate calls, but could no longer be used to hack phone switches.
Another tactic demonstrated in the movie “Wargames”, shows the protagonist shorting a payphone’s current to ground, to simulate a coin being dropped in to the coin slot. Older payphones did work this way, and it’s questionable whether the older, vulnerable equipment would still have been deployed in the field at the time of the movie. On a side note, he uses a pop tab (or beer tab) to do this — pop tabs used to litter every roadway and parking lot, but are now extinct!
Phreaking, as it existed in the 1960’s and 70’s, no longer exists. As a movie myth, phreaking continues to live on in infamy.
1.2. Tracing Calls
In many dramatic movie moments, the protagonist desperately tries to negotiate with the villain while tracing his call. A computer screen shows the call “bouncing” across a map, through multiple points of origin, with a line that slowly traces its way to the villain’s ultimate point of origin. Just as the hero is about to determine the location of the villain’s hideout, he disconnects the call, breaking the trace just in time!
When you originate a call on any phone network, your local phone company’s switch creates a connection to the phone switch where the recipient’s phone is connected to the network. Sometimes, a call must traverse multiple switches on its path from one end to the other, and the path must stay “open” (connected) for the duration of the call. When either party disconnects, the phone switches recycle the connections, allowing other users to place calls to other destinations.
For billing purposes, every phone switch, whether on a land-line or cellular network, records “Call Detail Records” (CDRs) – a complete log of every connection THIS switch has made to any and every OTHER switch. These logs are used to bill consumers and other telephone companies, so the logs always exist, and they are always accurate.
Unlike what you see in the movies, “tracing” a call means sifting through the CDRs of each phone switch in sequence, identifying the inbound and outbound port used by each switch for a particular call, which identifies the next downstream switch, until the “station” port is identified. Each station port (phone line) has meta information, such as the subscriber’s name, address, and phone number.
If the call happens to originate and terminate inside the same phone carrier’s network, the phone company’s switch management software might be able to provide real time call trace information. However, because of the way the phone system works, tracing a single call might involve traversing 3 or more phone companies! There are multiple local providers, known as “Local Exchange Carriers” (LECs). The LEC might pass the call over to a Long Distance (LD) carrier, or over to another LEC. Cell phone calls are even harder to trace, because cell phones have no predefined entry point in to the phone system.
“What about ‘Caller ID’?”, you may ask… Caller ID is based on Automatic Number Identification (ANI), and consists of meta information passed from switch to switch as each connection is made. Meaning, ANI (and thus Caller ID) can be completely faked at the point where the call originates. Any digital PBX can be reprogrammed to display any name or number information that the villain wants, and there are commercial “black boxes” that the villain can use to set ANI on most phone lines. The hero can’t rely on Caller ID information!
Tracing a single call could take hours or even days, not including obtaining the proper, legal search warrants.
Once you use trace information to finally determine the villain’s originating line (phone switch port), the bad news is that the villain probably gave you a fake name. You can usually put any name you want on the phone line (land line or cellular)
The good news is that the phone company installs and maintains the phone lines, and the address information is tied to the phone line. This information feeds the “e911” (Enhanced) service, where the 911 emergency operator automatically receives name and address information from the switch that originates the call, meaning that you have a very good chance of at least getting an accurate address!
However, if he buys a cell phone, especially pre-paid cell phone, he can list whatever name and address he wants!
Most of the time, tracing a call is tedious and time consuming, since you must often match up CDRs from multiple sources in order to identify where a specific call originated. Moviegoers will continue to be entertained by nearly-instant trace programs that the hero can use to find the villain.
Further, there is no pre-set time limit after which a call can be traced, and disconnecting a call doesn’t erase the CDRs. If you wanted to trace a local call (assuming one phone company) in real time, it would take you 20 minutes just to get the right tech on the phone who could perform that procedure, and it would probably take him another 15 minutes to run the right program, log in to the switch management console, and obtain the correct information. Let’s hope the villain is quite a talker!
1.3. Graphical Map Display for Tracing Calls
Setting aside the question of accurate and timely trace information, there is the “visual trace” myth.
In the movies, the hero watches the trace narrow down the villain’s location on a map, as the trace “closes in” on his location.
In reality, once a port (line) has been identified via the trace process, it’s up to the carrier to provide the address information for that subscriber, based on meta data associated with the line. Because of the way the phone system works, there is virtually no relation between the path through the phone switch network and the physical location of an individual phone line. Aside from the address meta data associated with the individual line, the phone company can only narrow down geography based on “Central Office” (CO) in the case of a land line, or cell tower in the case of a cell phone, both of which vary in size and location based subscriber density. Assuming the address meta data for the line is incorrect or has been faked, and if the villain calls you from somewhere out in the country instead of the city, you’ll need to search a much larger geographical area.
Tracing a call returns address metadata that CAN be displayed on a map, but the trace process has nothing to do with narrowing down a geographical (map) location. It LOOKS really cool, however, when the hero’s “trace program” systematically narrows down, and zooms in on the villain’s map location.
1.4. Bouncing Calls
“Bouncing” a call means routing it through multiple points of origin. In the movies, this is done as some kind of “computer hack”, where the call appears to be re-routed within the phone system itself.
There are a few very good reasons why this is impractical:
- The phone system isn’t that easy to hack. Since the 1960’s, people have been trying to hack the phone system, meaning that the phone companies have had 50 years of experience at defending their equipment! Although data networking and the internet means that it’s technically possible to remotely connect to a switch, the phone companies have long-since known to isolate their core switches from remote access connections!
- Call routing is based on converged routing tables. What does this mean? All call routing is based on the digits at the beginning of the destination phone number (or at the beginning of whatever sequence the originator dials), called the prefix digits. At a high level, the whole network knows the most efficient path, at any given time, to route a specific prefix. If you were to hack in to ONE switch and modify its routing table, to route, for example, one string of digits through the wrong trunk line, the next switch on the other end of the trunk line would simply route the call right back, creating a loop! You would have to hack every switch in sequence in order to hide a single phone call, while preventing a routing loop!
- Hacking the phone network won’t hide the call. Within a given switch network, even if a path is convoluted, the switches themselves would have near real-time information about the origination and destination. The phone company’s switch management software would still have information about the complete call pathway. Convolution is only effective if routing calls BETWEEN switch networks (for example, between different providers)
- Lag. Each connection adds a few microseconds of lag. Longer geographical distances over which the call is routed, as well as increasing the number of “hops” within the network, increases the time it takes to transmit the voice information. It’s almost impossible to conduct a normal conversation, because the lag disrupts the natural rhythm between the two people who are conversing, resulting in one person inadvertently talking over the other, or missing part of the conversation completely.
- A PBX at a small company is often an easier target to hack. Most small companies can’t afford a full-time PBX administrator, which means that they probably pay a third-party company to service their PBX – if someone new joins the company, they need a phone number assigned, and their name has to be assigned. If someone moves from one cubicle to another, their phone information needs to follow them. If someone leaves the company, their phone number and voice mail needs to be disabled. Third-party service providers can’t afford to send a technician on site for simple changes, so more often than not, they use a remote-access mechanism to remotely administer the PBX. If THEY can get in, YOU can get in. It’s only about a million times easier to hack a PBX than a telco-owned switch.
In real life, with the above caveats in mind, there are a few ways to legitimately bounce a call:
- Voice over IP (VoIP) Services. Probably THE best way to hide or bounce a phone call, many free or cheap VoIP services allow you to connect to a land line using a virtual phone. Most of these services don’t keep accurate or timely records, because they don’t provide the same services as a regular phone company. Some VoIP services can be coupled together, creating the opportunity to further convolute a phone call.
- Physically-coupled. Either direct-wiring or via acoustic coupler, two phones can be linked from microphone to speaker, allowing one phone to receive the incoming call, and the second one to originate a separate call. Tracing the second call yields the location of the second phone line, concealing the true location of the originator. This is a “quick and dirty” way to perform a one-time misdirection on an opponent.
- PBX hack. Although less common today, many Private Branch eXchange (PBX) systems used in companies (and even some government facilities) allow an inbound call to be routed to an outbound line. This is considered a security hole, and most PBX systems are configured to disallow this type of access. Lazy or less-knowledgeable PBX administrators could easily leave a hole like this exposed, where a hacker could make what looks like a local call in to the PBX, and then use a separate line on the same PBX to originate a second call. Assuming that you keep a low profile, a PBX hack is a good way to make infrequent calls over a long period of time. If you have full control of the PBX, remember to erase the CDRs! Every PBX has CDRs.
- A hard-wired trunk, also called a cross-connect, connects two phone switches together. Used as an easy and inexpensive way for medium-sized businesses to expand PBX capacity, cross-connecting a 2nd PBX node could allow an attacker to enter the first PBX node via its inbound trunk, navigate to the 2nd PBX via the cross-connect, and then originate an outbound call on the 2nd PBX’s outbound trunk line. This is a difficult vulnerability to trap, even when the individual PBXs are configured correctly. Like a PBX hack, a hard-wired trunk is an excellent way to make infrequent calls over long periods of time, without having to compromise the PBX. The bad news is that there will probably be a CDR trace of your activity.
- Connect a cordless phone to, or splice a neighbor’s line. You can make calls that appear to originate from your neighbor instead of you. The bad news is that you have to be fairly close, and because of the physical connection to your neighbor’s line, this type of attack is fairly easy to detect. This type of attack is best used when combined with direct / acoustic coupling to another line.
- Compound bounce. For example, a land line can be acoustically-coupled to a cell phone, making a trace significantly more complicated, and introducing more delay between the hunter and his target.
Bouncing done well: “Hackers”, where they acoustically-coupled multiple payphones in order to misdirect the authorities. The “signal trace” resulted in the cops raiding the physical location of the payphones, burning time and introducing delay between hunter and hunted.
Bouncing done badly: “Sneakers”, where “Whistler” (ostensibly named for the real “Whistler”) bounces the signal all over the world while Marty talks to the NSA. Between the extreme lag due to the geographical distance, and poor signal quality due to the number of hops, the connection would be so bad that Marty wouldn’t be able to hear or be heard!
2. “Hackers” Can Control Physical Devices
There are numerous movie scenes where a “hacker” controls a physical device in order to save the day!
2.1. Myth: Computer-Controlled Inanimate Objects
Some movies are so far disconnected with reality, that they depict computers physically levitating, controlling, or steering inanimate objects.
Inanimate objects. Objects with no motors, hinges, actuators, levers, pistons, screws, propellers, nor any practical means of locomotion, simply can’t move.
Further, objects with no electronics can’t be “hacked” by an electronic computer.
Only the bottom writers in the barrel would use computer-controlled inanimate objects as a plot device.
2.2. Myth: Wirelessly-Controlled “Dumb” Electronics
Movie scene: whiz kid gets a computer. Two scenes later, whiz kid is controlling every electronic device in the house with his computer.
To control an electronic object, even a motorized one, the following requirements must be met:
- Motors or actuators. The object must be able to move on its own.
- Automated controls. A computer can’t override a manual control, such as a light switch, that has to be physically operated by the user.
- Remote control interface and protocol, for manipulating the automated control. For example, an automatic light, one that turns itself on at dusk and off at dawn, can’t be arbitrarily turned on or off unless the electronic switch can be accessed remotely.
- Wired or wireless control link between computer and device.
- Control software. The computer must be running software that connects to the control interface, and knows the protocols used by the remote device.
- User interface. The hacker has to be able to tell the control software what to do. The interface could be command-line or graphical.
Here are some additional movie cliches that don’t add up:
- Light switches can’t be controlled, unless they have automated control capability, a remote control interface, a control link, and some means to access the remote automation.
- Sprinklers and fire hydrants can’t be turned on or off, unless they have motorized valves that are designed to be remotely controlled. Most fire suppression systems are passively-triggered, meaning, they expect a smoke or heat event to trigger a response. Only VERY high-end installations, such as datacenters and other high-security facilities use computerized fire suppression that would even be capable of being triggered remotely.
- Door locks can’t be opened remotely, unless they have a motor, and remote administration capability. Magnetic logs (“mag locks”) usually have a badge reader that CAN be programmed remotely, but do not typically provide the ability to remotely unlock the door itself – that has to be done via an approved badge.
- Traffic lights CAN be monitored remotely, but very few, if any, provide the ability to remotely change their state. Traffic lights have error checking, to make sure that both sides can’t turn green at once, and to keep the timing of the lights in sync. The first thing that happens when a traffic light fails, is that it goes to blinking red – a signal to all drivers to treat it as a stop sign (all sides must stop). Traffic lights in most cities have a strobe light detector, allowing police and emergency vehicles to quickly obtain a green light. Some websites sell devices designed to manipulate these sensors, but if the cops ever catch you with one, they’ll practically throw you UNDER the jail.
- Most household appliances lack both a remote control interface and a control link, and can’t be manipulated. Some smart appliances can now be monitored remotely, but very few can be manipulated.
- Cars absolutely can move, but the steering wheel, pedals, ignition, and other controls lack any kind of automated control capability.
The movie scenes where a hacker remotely turns on household appliances, drives a car, opens locks or doors, or disables the security system are mostly mere exaggerations.
2.3. Reality: The Emergence of Smart Appliances – the “Internet of Things”, and the “Smart Grid”
The ironic twist, is that because there are actually home automation packages, along with the emergence of smart appliances and security systems, IoT (M2M), and the “Smart Grid”, the capability to access and manipulate devices in the home might actually be on the horizon. As of this writing:
- Automation packages such as X10 existed as early as the late 90’s, initially allowing remote control, and later allowing PC-based “home automation” of X10 modules that control lighting and other dumb home appliances. Hacking either the X10 network, using a PC equipped with an X10 controller, or by remotely-controlling the existing PC that acts as the X10 controller, would allow an attacker to turn lights on or off, dim them, or remotely activate “dumb” appliances plugged in X10 modules.
- Although electronic door locks have been around for quite some time, most of them lack the remote control interface, control link, and control software to be manipulated remotely. Newer “smart locks” connect to WiFi, and allow the homeowner to use a computer or smart phone app to modify codes, and lock or unlock the door.
- Smart thermostats allow the homeowner to set and monitor the temperature of the home. Smart thermostats can be controlled via PC, or via a phone / tablet app.
- As the Internet of Things (IoT) emerges, smart appliances will continue to emerge. Smart appliances allow remote monitoring and configuration via PC, phone, or tablet. Appliances such as coffee makers, ovens, washers, dryers, and the like, that are “dumb” appliances today, will continue to evolve.
- Perhaps the worst threat, the so-called “Smart Grid”, allows the electrical grid to “throttle back” usage at peak times by controlling devices inside the home. If the “Smart Grid” could be subverted and manipulated, it would allow a hacker to control a wide variety of devices and services within the home.
- Cars use computers for many tasks, including aspects of performance tuning and feature / function configuration. As vehicle integration continues to evolve, new opportunities will be created to affect someone’s gas mileage, shut down their car, control multimedia content, play an audio file remotely, and maybe even recalibrate the gauges, including the speedometer!
As technology evolves, hackers have ever-increasing opportunities and ever-progressing capabilities to seemingly, “magically” control various smart devices.
2.4. Myth: Hacking in to “Smart” devices
As outlined above, many connected devices are evolving, and DO in fact have the necessary remote control interfaces and control link. However, subverting those control interfaces is not as easy as it sounds!
- Most devices require either an access code, or a username / password combination. Despite what you see in the movies, “brute force” password hacking, where the attacker tries successive (ordered or random) passwords in an attempt to break in, is more difficult and time consuming than it appears. Most software can detect these attempts, and have controls designed to lock the interface, or prevent subsequent login attempts for a certain period of time.
In the corporate environment, this type of activity would immediately trigger an alert, resulting in administrator intervention. In the home environment, there is no real framework for intrusion detection or alerting, meaning, that an attacker can perform a “low and slow” attack. Low and slow means that the attacker could take weeks or months, making only a few attempts at a time, until they break in. But it isn’t going to happen quickly, like they show in the movies.
- Remote access requires a control link! Typically, WiFi or Bluetooth would be used for this type of access. Early on, these technologies were configured as “wide-open” by default, allowing anonymous connectivity and access to virtually any network. Now, these technologies are deployed in a secure configuration by default, meaning, a hacker would either have to break the encryption (see below), or know the WiFi password to gain access.
- Most home networks don’t allow remote access, necessitating that “smart devices” connect to an external command-and-control website. If either this connection, or the website itself could be compromised, then the device(s) being controlled could be compromised. Additionally, the legitimate user connects to the website, allowing the possibility for an attacker to forge or simulate the user’s access.
The difficulty in compromising the command-and-control website is that it requires advanced knowledge of the command and control protocols passed between the device and the website. Since there is no centralized standard (yet) for command and control of these types of devices, information on any given system depends on the number of units in use, the amount of information provided by the manufacturer and user community, and the amount of time available to the hacker. Over a long period of time, with plenty of internal information, a hacker could develop an exploit, or even an automated tool to perform the exploit.
Doing this “on the fly”, however, is virtually impossible.
Unlike what you see in the movies, and even though device-specific exploits may exist, most smart devices can’t easily be hacked.
2.5. Remotely Driving Cars / Flying Planes
In the movie, the hero is driving his car, and the villain takes control.
In another scenario, the “hacker” takes over the airplane, routing it to another destination.
Here are some facts about controlling vehicles:
- Just as with any device, to be remotely controlled, a vehicle must have actuators or other automated control mechanisms, and a control interface and data link.
Most cars have manual controls, designed to allow the driver to actuate steering, braking, and acceleration. Without the automated controls, there is no way for a hacker to drive a car or other vehicle.
- Some newer vehicles provide automatic parking or automatic braking features, that, given the proper control interface and link, might be able to be exploited. For example, you could trigger the victim’s brakes at an unexpected time, such as when they are traveling down the freeway at 70 mph.
- Modern passenger aircraft, and some military aircraft have advanced control and autopilot systems, that might theoretically be compromised, but all conventional aircraft only have manual controls.
- Cruise missiles and flying drones explicitly operate via remote control, and can even be directed to a specific GPS destination. Any kind of remote administration interface could be hacker-bait.
- As smart cars and smart freeways continue to evolve, there will be ever-increasing opportunities for automation to be exploited.
Although controlling vehicles is largely a myth, automation continues to evolve, providing a growing attack surface for hackers to exploit.
3. GPS Tracking
GPS stands for “Global Positioning System”, and is a network of satellites that beam down a constant stream of information, that a GPS receiver can use to triangulate its own position. The urge to know the villain’s exact position is a tempting source for many tech myths!
3.1. Myth: Tracking a GPS Device
In the movies, the hero either “tracks” the villain’s GPS, or looks at the villain’s GPS history to track him down.
Here are the facts about GPS:
- “GPS” or “GPS device” usually means “GPS receiver”. A GPS receiver does just that – it RECEIVES a signal. It’s not capable of transmitting a signal.
- The “GPS network” is not a communication network. It’s a collection of GPS satellite signals that are constantly beamed down to Earth, so that GPS receivers can determine their own location. The “GPS network” is therefore unaware of, and incapable of tracking individual GPS devices (GPS receivers). You can’t track the bad guy using the GPS network itself.
- A GPS receiver does one thing: It locates its own position. In order for someone to REMOTELY know that location, a GPS has to be combined with some kind of transmitter, such as a radio or cell phone, that subsequently transmits the GPS coordinates once they have been determined by the GPS receiver. The good guy can’t “tap in to” or “ping” a GPS receiver to find out where it’s located.
- Most consumer GPS devices can be used in two ways: It can simply display your current location on a map, or it can provide routing information (turn-by-turn instructions) between two locations on the map while it tracks your current location along the route.
- Most consumer GPS devices ONLY display your current location, unless you use the device’s search function to find a specific destination, and THEN the GPS provides routing information. The “favorite” and “history” function of most GPS devices is tied to the search function, NOT the instantaneous display. As a villain, who in their right mind would do an exact search on their personal GPS for their own “secret” hideout? If the villain doesn’t perform this type of search, there is no “favorite” or “history” information that the hero can use to see where the villain has been.
Just because the villain has a GPS, doesn’t mean the hero can use it to find him!
3.2. Myth: All Phones Have GPS
In the movies, the hero uses GPS tracking to find the villain’s phone.
Although many phones today DO have a built-in GPS receiver, there are quite a few limitations and caveats:
- Most smart phones DO have a GPS receiver, and DO run software that can report their location remotely – such as sending out a location “beacon” to the cell provider’s network, or via text message or web beacon to an external server.
For this to work properly, the GPS must be enabled, and must be able to receive a signal from the GPS satellites. Many people turn the GPS function off, when not in use, to save battery. In addition, the GPS satellite signals generally follow “line of sight”, meaning, if you go underneath a bridge, inside a house or building, or toss your phone in a briefcase or bag, it may not be able to “see” the GPS satellites, and therefore, can’t provide any location information.
- Smart phones, as well as older “dumb” phones, can use cell tower information to provide an approximation of GPS, called Location-Based Service (LBS). At worst, LBS provides information as specific as a single cell tower, which could be several square miles. At best LBS uses multiple cell towers to provide location data that’s as granular as about 300 feet.
- Smart phones use other terrestrial signals, such as WiFi (WiFi SSID name and signal strength), along with LBS and GPS to “remember” very specific location data, which acts like a geographical bookmark in place of a GPS signal. If you are in a place near a WiFi signal recognized by your phone, then it assumes that any GPS data it previously knew near that particular WiFi signal must still be valid. Of course, this doesn’t work for Mobile WiFi (MiFi).
- Although the handset itself will provide the best location information available (GPS, LBS, or cached) when accessed by the provider or via remote access software installed on the phone, if the phone itself can’t be accessed, then the cell phone provider can only determine the cell tower to which the handset most recently connected. Depending on the geography of the cell network, which is typically deployed based on connection density, one tower could be a as small as part of a city block, or as large as several square miles.
Although Smart Phones do have GPS receivers, the GPS may not always work. Depending on the situation, only coarse location data might be available.
3.3. Real-World GPS and Location Services Tactics
There are some things that CAN really be done using GPS or Location Services:
- GPS Tracker. A GPS Tracker works like a small cell phone with a GPS attached. The GPS receiver inside the tracking device periodically obtains a location fix, that is then transmitted via the cell phone circuitry, as a text message or beacon to a website. GPS Trackers are commercially-available, run for a very long time on disposable batteries due to low power requirements, and usually have a magnetic case that can be used to affix the device to a vehicle. Some GPS trackers don’t transmit – they simply write location fix data to a memory card or memory stick attached to the device.
- Using a Smart Phone as a GPS Tracker. There are many apps that can run on a Smart Phone, that use location information, and periodically transmit the phone’s location via text or via a web beacon.
This approach can be used surreptitiously, either via software installed without the target user’s knowledge, or a “burner” Smart Phone can be preconfigured and hidden in the target’s vehicle, bag, briefcase, or other belongings.
- Obtain geotracking metadata from Smart Phone apps. Anything uploaded to a website, such as photos, videos, status updates, and other content uploaded from various Smart Phone applications can be accessed via that website, even without access to the Smart Phone itself. Most social applications track the user’s location by default, either to allow “check-ins”, for friends to follow or locate each other, or just simply to gather and mine data about the user.
Most Smart Phones’ camera applications (and high-end digital cameras) embed geolocation data, by default, in pictures and videos taken on the device. Applications such as Google and Facebook can be configured to automatically upload photos – a feature that can be used to find a stolen phone using picture metadata, or follow the target without their awareness.
- Triangulation. Anything that transmits a signal – cell phone, WiFi, Bluetooth, can be triangulated using two or more directional receivers at known locations. By pointing both directional receivers at the highest signal strength for a given target transmitter, the target’s location can be plotted fairly accurately on a map. More directional receivers increases the accuracy.
The down side is that cell phones and bluetooth transmit using very little power, within a polluted signal space, and use frequency-hopping, all of which make triangulation extremely difficult. WiFi hot spots and cordless phones have about the same power output with less competition, and are therefore much easier to locate. “Family Radio Service” (FRS) handsets can transmit up to a mile, while Citizens’ Band (CB) radio can transmit many miles. The stronger the signal, the easier it is to locate.
Although movies contain many GPS “tracking” myths, there are some realistic, high-tech tracking tactics that could and should be used more often.
4. “Hacking” Passwords and “Breaking” Encryption
These two movie myths go hand-in-hand, as the stereotypical, really difficult objective, that hackers are somehow easily able to accomplish. In reality, with some advance planning, and a slightly above-average skill set, a typical “power user” can create an encrypted file or password that is so convoluted, that it would take hundreds of years to decrypt, even using the “supercomputer” resources you often see in movies. Nevertheless, we often see the gifted hacker liberate protected information in a matter of minutes.
4.1. Myth: “Hacking” Passwords
In the movies, the hacker runs a brute-force password cracking algorithm. The program tries random combinations, until each digit or letter “locks on”, and eventually the password is revealed, and the hacker gains access to the target’s computer.
In reality, password cracking programs do exist, but let’s get the facts straight:
- Passwords typically consist of uppercase and lowercase letters, numbers, and symbols. Each password letter or number, called a “character“, consists of a total set of 26 (lower) + 26 (upper) + 10 (digit) + 10 (symbol) = 72 symbols for each character position.
An eight character password has 72^8 possible combinations, meaning just over 722 trillion combinations.
- Each password attempt takes a little bit of time to test whether the authentication is successful or not. If we say that each attempt takes 1 second, meaning 3,600 attempts per hour, it would take 22 million years to test every combination. If the password you seek is near the middle, 11 million years is still a very long time to wait! Most systems use a stand-off timeout to prevent this type of attack – meaning, you must wait a specified period of time, usually just a few seconds, before attempting the next password.
- Most people make least-optimum password decisions. They use birthday dates, anniversary dates, names of spouses, children, pets, sports teams, and even their ATM PIN as a password. They also often use the same password for multiple purposes, for example, using your ATM PIN as your voicemail password, or using your e-mail password for your bank account. Poor use of passwords creates a situation where compromising one system means that the password can be used to attack another, completely different system.
- Hackers use long lists of common words, called “dictionaries”, to attempt more likely combinations without having to try every possible combination. Knowing the subject’s personal information allows an attacker to build a more accurate dictionary containing details the subject is likely to be using as a password.
- A common method of constructing passwords is to take a word, name, or number, and then change some of its characters to numbers or symbols, switch upper and lowercase, and perhaps add some digits to the end. As an example, “baseball” might become “bA$3b4ll96”. A good password cracking program will try common number / symbol substitutions for every dictionary word. With a 100,000- word dictionary, that might add another 100 substitutions per word, for a total of 10,000,000 combinations. NOW, at one attempt per second, we are in the realm of 115 days!
- Passwords are typically stored internally as a cryptographic hash. For more information about password hashing, read this:
The password hacking process can be significantly accelerated by extracting the hash table from an application or operating system. The password hacking program can then simply attempt to take each password candidate, and obtain the hash code. If the resulting hash code matches the target’s entry in the hash table, then the candidate is the correct password. The advantage of having direct access to the hash table means that hundreds of attempts can be made at the same time. With access to the hash table, 115 days shrinks to 27 hours, and simple passwords can be “cracked” in as little as a few minutes!
This might seem like a real benefit, but each operating system or application closely guards the password hash table. This means that the core operating system or application must be compromised in order to even get to the hash table! There is a significant amount of work involved, and it doesn’t happen quickly. The good news is that once a password hash is cracked, it will most likely be usable on other systems – most people use the same passwords for everything.
- People familiar with Information Security, which includes both the good guys AND the bad guys, can easily construct a password suitably complex, that even with access to the hash table, a brute-force attack (all combinations) would have to be attempted. It would be trivial to construct a non-dictionary 12 character password that exists as one possibility within 19 x 10^21 (19 sextillion, or billion-trillion) combinations, requiring a supercomputer running for hundreds of years to crack.
- In the movies, you often see password cracking programs “lock” one digit at a time. The concept is that each known digit exponentially reduces the number of remaining combinations. Because of hashing and other mechanisms in play, an attacker would have no way of knowing whether a specific digit value / position was correct or not – they will still have to try every combination. The concept of “locking a digit” probably originates from World War II-era code breaking, where, looking at both the input AND the output, you may be able to determine ONE letter at a time until all are correct.
Password hacking programs DO exist, and can be helpful for cracking simple passwords. Complex passwords might take too long to crack, for cracking to be feasible.
4.2. Real-world Tactics for Password Compromise
Although cracking someone’s password requires a lot of time and effort, there are several real-world password compromise tactics:
- Social Engineering. Social engineering is the process of compromising people, who disclose information. This involves “pretexting” (lying about a convincing situation) and persuasion, where the target feels compelled to follow instructions, or tries to help out by providing the information. The classic example of social engineering is to call the target, claiming to be from their company’s IT department. The “fake” IT department can provide some basic details in order to sound convincing, claiming that there is a problem with the target’s computer. In the process of “fixing” the problem, the attacker asks for the targets password. Social engineering is most effective when the attacker has some knowledge of the organization as well as the target.
- Fake password screen. Like social engineering, a familiar-looking web site or login screen can be developed, that simply stores username / password information, displays an error, and forwards the target to the real login page. If done well, the target never knows they just divulged their real user name and password. Many phishing e-mails take this approach, asking for credit card or bank account information. This seems really simple, but it can be quite effective. How many times have you failed to log in to e-mail, thinking “I KNOW I typed my password correctly”. Unfortunately, some level of compromise is usually required – anything from redirecting DNS (looks up names to find the IP address), to fake web sites, or running custom software that must be loaded on the target PC.
- Packet capture. Information on any network is broken up in to small bundles, called “packets”, that must be transmitted individually, and then reassembled correctly. Special packet capture software, called “sniffer” software, can be used for wired or wireless networks to capture data packets as they are sent or received. When you log in to a website, your user name and password are transmitted, and can be captured UNLESS the website uses encryption. Although virtually every internet-facing application provides “secure” (encrypted) login capability, many corporate applications assume they are in a secure perimeter, and don’t require authentication to be encrypted! This means that, often, using sniffer software connected anywhere on a corporate network will probably yield some cleartext password information.
Although “cracking” a user’s password in realtime is just a myth, there are some real-world tools and tactics that can be used to compromise a user’s password.
4.3. Myth: “Breaking” Encryption
Encryption is a way to protect data, by systematically scrambling it, in such a way that it can later be unscrambled. Encryption uses a cipher (the encryption algorithm), with the “cleartext”, or unencrypted data and an encryption key as input, resulting in “ciphertext”, or encrypted data. Depending on the cipher, either the same key may be required (symmetric encryption), or a different key may be required (asymmetric encryption) to reverse the encryption process, and reproduce the cleartext data.
For more information regarding encryption, please read this article:
In the movies, the good guys obtain the villain’s files, outlining his master plan. The files are encrypted! The intrepid hacker starts to “decrypt” the files, and in just a few hours (or minutes!), the hero gets the critical information, just in the nick of time!
Encryption strength is typically expressed in terms of the key length, such as “256-bit” encryption. From a hacker’s standpoint, encryption is expressed in terms of the amount of computing power required to break it. Moore’s Law dictates that computing power doubles periodically, meaning that older encryption algorithms (called ciphers) can be broken via brute force using more modern computing capabilities, where many thousands (or millions) of combinations can be attempted every second.
For this reason, encryption is a cat-and-mouse game, where increasingly-complex ciphers can be attacked by ever-increasing computing power, thus necessitating newer, more sophisticated ciphers, which in turn require more powerful computers to break, etc…
Here are some key points about encryption:
- One of the oldest computer ciphers, called “DES” (US DoD Data Encryption Standard), was developed in the 1970’s, and was in common use from the late 70’s through the 90’s. DES has a symmetric key length of 56 bits, and was publicly cracked in 1997. By 1999, DES could be cracked in 22 hours, using massively-parallel computing.
- A complex form of DES, called Triple DES (also called 3DES), uses three nested DES encryptions (two forward, one in reverse), for a total key length of 56 x 3 = 168 bits. Because each layer is encrypted, there is no clear indication that each outer layer is compromised, necessitating that all three layers must be cracked in parallel. Although this provided some level of security over DES, it highlighted the need for a newer standard. 3DES was never publicly compromised in a reasonable amount of time. With the advent of AES in 2002, 3DES was officially deprecated in 2005.
- AES, the “Advanced Encryption Standard”, was introduced as a standard in 2002 to replace the use of DES and 3DES. AES uses various key lengths, from 128 bits, up to 1024 bits, with the most common key length being 256 bits. When AES is used, it typically includes a reference to the key length used, such as AES-256 to indicate AES cipher, using a 256-bit symmetric key length. AES began as a contest hosted by the U.S. government to select a replacement cipher for DES. The winning algorithm, Rjindal, is now known as AES. Other AES candidates, such as Blowfish, and its successor Twofish, as well as Serpentine are in common use, although not officially recognized as standards.
- RSA owns the patents on the world’s most popular public-key cipher, RC4. Replacing RC2, RC4 uses large integer factors as separate parts of the encryption key, allowing “public key” encryption – the ability to openly publish the “public” key, without the ability to decrypt the data using the same key. This type of cipher is known as an asymmetric cipher, where a different (secret / private) key is used to decrypt the data. Encrypting in reverse, where the secret key is used to encrypt data, allows anyone with the public key to decrypt the data, which is used as a digital signature mechanism. RSA algorithms, although no longer considered cryptographically-secure, are still used as the signature mechanism to exchange the “inner” symmetric key used by other ciphers, and to guaranty authenticity.
- Salt data is a known, fixed value used to further randomize the source data before being encrypted. When decrypted, the salt data is removed and discarded. Using large, complex salt values makes statistical attacks more complex, and therefore increases the required computing power.
- Entropy, a source of random data, is typically used to generate encryption keys. Examples of entropic sources are the instantaneous temperature measurement of a computer’s CPU, mouse movement, or the speed of the fan. If a pseudorandom sources is used in place of a true entropy source, the resulting keys can often be predictable.
Under ideal conditions, with small key sizes and weak encryption keys, it could take months or years to “break” encryption using a brute force attack.
Many ciphers have known weaknesses, and can be attacked using statistical analysis – such as using very small encryption keys, very small data values, or very large quantities of data, to analyze how the cipher behaves. This can often lead to a mathematical toolbox that can be used as a shortcut to breaking certain ciphers under certain conditions, reducing the time to hours or days required to deduce the key and obtain the underlying data.
When following best practices, even a simple cipher can be nearly unbreakable. Each software vendor implements encryption differently, even though the ciphers are standard. While taking shortcuts can lead to unintended vulnerabilities, following best practices ensures that even older ciphers can be used with relative security. Longer key lengths, longer salt data values, more encryption iterations, and using true entropy sources for key generation all help increase complexity, requiring increasing computing resources in order to mount a realistic attack.
Decrypting the villain’s files isn’t going to happen quickly. Any kind of realistic attack would require near-supercomputing capability, advanced mathematical knowledge outside of a “hacker’s” purview, and a tool set tailored to each cipher.
4.4. Common Uses of Encryption
Most movies or TV shows that use encryption as a plot device, also include a healthy dose of technobable to go along with it.
There are two basic modes of encryption:
- Storage encryption is used to encrypt data at rest, meaning, data stored on any kind of media. Modern computers are powerful enough to allow encryption / decryption to occur as the data is read or written, called real-time or “on the fly” encryption. Other forms of encryption explicitly perform the encryption / decryption process on a file, set of files, memory stick, data disc, or hard drive. Transformation (or “locker”) encryption is better suited for sharing data, or when the data needs to be accessed infrequently.
- Transmission encryption is used to protect data being sent or received, by encrypting the network transmission or communication lines used to transmit the data. Transmission encryption usually happens in real-time, where each data block is encrypted, then transmitted, and immediately decrypted before being handed off to the receiving program or process.
Here are some common encryption uses and implementations:
- Whole-disk encryption uses real-time storage encryption to protect a computer’s hard drive. When the computer first starts, the user enters a password or other encryption key in to a small boot loader program, which then loads the main operating system from the encrypted drive. All of the user’s files and folders are explicitly encrypted, and the encryption program decrypts them on the fly as they are read or written. If someone steals the drive, they can’t access the files, but any process acting as the operating system or running within the operating system can effectively bypass the encryption! A carefully-crafted virus or script could slowly steal data from a whole-disk encrypted drive by running in the background and slowly siphoning files from the drive.
- Locker-based encryption operates on a file or group of files / folders, where they are stored in a single archive or “locker” file. Using the file requires extracting it from the locker file, to the regular file system. If modified, the file must be added back to the encrypted locker. Opening the locker file, extracting or updating files prompts the user for a password, used as the encryption key. Examples of this, are ZIP and RAR files, which makes sharing encrypted files very easy – the recipient only needs commonly-available software and a password to access the files.
- Media encryption, similar to whole-disk encryption, allows memory sticks, memory cards, data discs, data tapes, and removable hard drives to be encrypted in real-time, but like locker-based encryption, typically have some mechanism for sharing the media – for example, you could mail an encrypted memory stick to the recipient, who uses the memory stick’s encryption software plus a password to access the data.
- Hardware encryption often uses a fingerprint scanner or pin pad on a computer or removable media device, that provides real-time encryption without requiring the computer to run special software. Each time the device is turned on or attached, the user must unlock it. Most hardware encryption devices are physically hardened, to prevent tampering or bypassing the encryption mechanism. Typically, these devices are filled with epoxy resin that requires enough force to remove it, that the force would damage the device in the process.
- An encrypted tunnel is a general-purpose method for encrypting a communication channel. Encrypted tunnels can be used to secure physical communication lines, or in conjunction with other protocols to provide an encrypted link over a private network. Encrypted tunnels can be nested two or more layers deep for increased security.
- Virtual Private Network (VPN), a type of transmission-based encryption, allows two computers to communicate securely over a public network, using encrypted tunnels. VPN allows you to access your company’s computer systems when you work from home, and makes it seem like your remote laptop is connected directly to your company’s network.
- Secure Sockets Layer (SSL) / Transport Layer Security (TLS) create a single encrypted channel used by the TCP/IP protocol. SSL/TLS allows older, insecure protocols to be easily secured, and is the method by which most secure web traffic is encrypted.
- Pretty Good Privacy (PGP) protects a single file, or specific text within a message. PGP allows encrypted text or an encrypted file to be sent through e-mail, or to be transmitted using File Transfer Protocol (FTP). PGP is typically used by power users and / or network administrators, rather than regular users. PGP can be used to further convolute or encrypt an already-encrypted file. Because PGP uses a public key scheme, it can also be used for digital signing and authenticity – you can “sign” a document using your PGP private key.
- Digital Rights Management (DRM) is used by Blu Ray and DVD discs, as well as many digital-only distribution channels (portable video formats, MP3 audio), to ensure that only the valid subscriber has access to the content. A set of keys are maintained, to prevent other users from accessing the content. DRM-like technologies can also be used to create “erasable” e-mail and other ephemeral content, because deleting the key removes the user’s ability to view the content.
There are a variety of encryption technologies in common use, many of which, we might use every day without realizing it.
4.5. Real-world Methods for Attacking Encryption
Encryption can be a powerful tool to help protect information from falling in to the wrong (or right) hands!
All encryption technologies have several real-world weaknesses:
- The data must be used. All data is vulnerable at the point where the user views the encrypted content – you can always take a picture of a computer monitor, or steal text that’s been printed on a printer, AFTER the user has decrypted it.
- People are easier to hack than encryption. Social Engineering is the science of hacking people – tricking them in to doing something specific, or revealing specific information. People are often quite easier to hack than machines, meaning, if you have a copy of an encrypted file, you might be able to trick someone in to giving you the password.
- Biometric keys can be faked. Hardware encryption that leverages a fingerprint reader, for example, can be tricked in to working by using a fake fingerprint.
- Weak encryption CAN be “broken”. Using weak or non-standard ciphers puts the data at risk. Likewise, using weak, short, or predictable passwords makes the job of “breaking” encryption, simply a matter of hacking the password.
- All well-known ciphers have weaknesses. Although a brute-force attack on encrypted data might require a cipher-specific tool set, and advanced mathematical knowledge to use the tools, it might still take weeks or months to actually be able to decrypt an actual data file, under some very specific assumptions. E.g. salt values must be obtained or known, and there must be a sufficient quantity of data to facilitate statistical analysis. If the data has a high enough value, throwing time and resources at decrypting it, might be fruitful.
Knowing your target, and knowing the data can facilitate an attack that does not require knowledge of the decryption key, nor decrypting the content. Unfortunately, “breaking” the villain’s encryption doesn’t happen in a few minutes, with a few simple keystrokes.
5. “Hacking” involves writing a script or program
In the movies, the intrepid hacker is given the task of “hacking in” to a bank or government system, to obtain some secret information. The hacker “writes” a script or program that hacks in to the target system.
Let’s start by making sure we have our facts straight, about what it means to “hack in” to a company:
- Most companies and governments use similar security architectures. Actually, for banks and other entities that are regulated by the government, the government dictates the necessary security architecture, at a high level.
- A typical network security architecture consists of one or more firewalls separating the web servers from the internet, and then the web servers from the rest of the internal network. In addition to firewalls, most companies use Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to detect and / or directly stop a hacking attempt. On the internal network, critical systems, such as a credit card payment system, are further segregated by additional firewalls, or for highly-sensitive data, air gaps are used (an air gap is a physically-isolated network, accessible ONLY within the facility).
- A firewall is a hardened device, specifically designed to segregate a “trusted” network from an untrusted one. Each firewall has a set of rules defined, which allows legitimate traffic, while disallowing any other traffic.
- Bypassing a firewall consists of either scanning available ports to determine what services are available through the firewall, then transmitting malicious data to a server, or tricking a server / workstation inside the firewall to connect to a malicious website.
- Unlike governments and large companies, many small businesses don’t always follow best practices. One type of attack, called SQL injection, allows the attacker to run an arbitrary database query via the web server!
- Once a server is compromised, finding specific information, such as a document, or specific database, requires advanced knowledge of the company’s internal network. This process, called “scouting”, could take days or weeks. Once the target information is identified, and the servers hosting the information have been discovered, the hacker must have valid credentials in order to be able to log in to the server or database, to retrieve the information.
- The most successful type of attack, called a “low and slow” attack, consists of multiple steps taken over weeks or months, to scout the target’s network, find and execute an exploit, scout the internal network, obtain credentials, and finally, download the files. The final step is to upload, or push the information off of the target’s network to some external location – all of this has to be done in such a manner that it does not trigger suspicion, nor trigger an Intrusion Detection System (IDS) alert. For example: if, during this process, someone finds that their own password has been changed, that’s an automatic trigger to look for other suspicious activity. If someone finds confidential documents on a public-facing server, that’s going to trigger suspicion. If your attack gets detected by the IDS, or discovered by the network security folks, they might either shut you down completely, or call the Feds!
Most “hacking” tools (commonly known as “network penetration” tools) are completely automated. There are a few tools that require special knowledge of the environment or servers, but most tools are generic enough that all someone has to do, is click “go”. Other, more detailed tools contain a suite of known exploits that can be focused on a specific target, once the scanning tools have identified a potential entry point.
Most companies run these tools (vulnerability scanner) against their own network, to make sure they are protected!
Once again, the best approach is to compromise people, not systems.
- People take data home with them, even if they’re not supposed to.
- People can be tricked in to resetting a password or divulging a system name.
- People can be tricked in to running malware / spyware, in order to create an exploitable weakness.
- People can be bribed or coerced in to stealing data – this can be done via memory stick, or even simply by uploading it to a public website.
- In one famous case, a telecom employee was tricked in to cross-connecting an isolated network to a public one!
- People often break policy by writing down passwords, or connecting insecure wireless routers to corporate networks.
In addition to the above, careless administrators might be publishing more information than they intend. A marketing website might contain product specifications that should ONLY be available to current customers, but if external sites like Google CAN index that “private” content, they will! Often, a simple Google search will allow you to download a copy of the information you need.
Example: You are looking for the Deathstar plans. Try this Google search:
Unfortunately, you can use this type of “Google attack” against many companies that don’t follow their own procedures for publishing content – often, internal or sensitive content will get published to an external server either inadvertently or for convenience. This type of search is easy to do, and no “hacking” or social engineering is required.
Even though showing lines of code scroll past the screen looks cool in movies, the reality is quite different. “Hacking in” to a company involves a lot of time and knowledge about the environment, while social engineering or Google attacks might be faster and more fruitful.
5.1. Real-world Scripts
Scripts are lightweight programs that don’t have to be compiled in order to run on the target system. They usually consist only of text, and therefore, a hacker can use cut and paste to install one, without having to install additional executable software that might cause suspicion.
Here are some things that CAN be done with scripts in the real world:
- Batch updates. If you have multiple servers, users, firewalls, or routers, and you want to make the same change to each one, you can script the change, and then have an “outer” script loop through each one, calling the “inner” script to actually perform the change. So let’s say the hacker did manage to gain access to SomeCompany’s network, and managed to obtain a privileged account. The hacker could write a small script to update everyone’s user profile to include “I am a dork” in the description field. He / she could also use a script to copy exploit code to a list of known servers.
- Data normalization. When you get a raw dump of textual information, often, it needs to be formatted before you can do anything useful with it. I typically use command-line tools to make a first pass at the data, to eliminate things I clearly DON’T want, and to clean up the formatting as best I can. I then use higher-level tools like spreadsheets and databases to actually break the data in to fields and work with it.
- Database queries. Most databases use a query language called SQL (Structured Query Language) to interact with and manipulate data. SQL can often be quite complex, and looks like a script.
- Triggers. A script can be set up to stay hidden until a particular event occurs. When the desired event happens, the system can be configured to fire off a script – for example, to log when a user connects to the system, or alert an administrator when the system runs low on memory. Trigger scripts can be added by a hacker, for malicious purposes. For example, a hacker might trigger an alert when a specific user logs in, to try to watch what the user is accessing, or to attempt to hijack the user’s session. Another example is a trigger script that gives the hacker a user account with administrative access, when an administrative user logs in to the system.
Scripts are a valid tool in the hacker’s toolbox, but not commonly nor ubiquitously used.
Bluejacking means pairing a mobile device with the target’s cell phone, tablet or laptop, via the bluetooth protocol, without the user’s knowledge.
In the movies, the hacker sits at the next table over, while the villain (or mark) sips his coffee at a cafe. With a few clicks, the hacker has “linked” their phones, allowing the hacker to listen to calls, access call logs, download pictures, and perform other types of movie magic.
When bluetooth was first implemented on cell phones and mobile devices, it was turned on, by default, to discover (and possibly pair with) any device. When this vulnerability was discovered, manufacturers and vendors quickly adjusted the default settings to be much more secure. On a typical device with default settings, the user must hit a discover button, or make the device discoverable, in order to pair with another device. If an attacker tried to jump in at that exact time, the user would see the attacker’s device listed, and could simply decline the connection. Likewise, there is no way to remotely force the target’s cell phone to pair with a remote device – this must be initiated from the target’s device (not the other way around).
Assuming that the attacker does manage to pair his phone with the target’s phone – let’s say he “borrows” the phone and pairs it manually, there are a few more logistical problems:
- Most cell phones only support one audio channel at a time. For example, if you already have a bluetooth headset, and you add another, only one will be active. If you activate the second one, it will disable the first one. This makes it impossible to use your phone normally, while someone is spying on you using bluetooth, because only one of you would actually hear the conversation.
- Bluetooth works within a range of about 30 feet. That’s about 15 steps. Or about 10 umbrella steps. Unless you practically walk around in someone’s shadow all day, the chances are high that you will lose the bluetooth connection at some point.
- Bluetooth supports different capabilities for different devices. Not all devices support every capability. Not every phone can share contacts, intercept text messages, or share files via bluetooth. Assuming that the user’s phone supports advanced bluetooth features, invoking various functions usually prompts the user, so the chances of downloading information from the target’s phone undetected are slim!
Bluejacking the target’s phone is not very realistic, nor very useful.
There are some real-world tactics to attack and exploit cell phones:
- WiFi evil twin. Unsecured wireless networks can be cloned, forcing all of the phone’s data access to flow through the “evil twin” access point. This can be used to surveil the target, or direct the user to a malicious website. In some cases, this type of connection will allow limited access to data on the target’s cell phone. Any cleartext voice-over-data communications can also be monitored – any Voice over IP (VoIP) applications that don’t use SSL / TLS encryption, send and receive voice data that can be intercepted, stored, and decoded. WiFi has a range of 100 feet to over 800 feet, depending upon several factors, including line of sight.
- Malicious application. Either in the guise of a troubleshooting app, a game, or some other useful app, a malicious application can masquerade as a legitimate app while monitoring phone calls, text messages, call logs, web access, and even uploading the user’s files. Several “professional” grade spyware suites exist, to accomplish this very task. In most cases, the user must willingly download the app and accept the necessary permissions, allowing the user to at least contemplate whether to allow the application to continue.
- Poisoned e-mail / text message. Used as a “phishing” tactic, the message might contain a link to a malicious website, disguised as a normal message. Alternately, an e-mail might directly contain a malicious payload, to infect or otherwise compromise the target’s phone.
- Steal the phone. Call logs, pictures, text messages, and contacts can generally be accessed by removing the memory card. Sometimes the direct approach is the best approach.
- Malicious Barcode. Surely, you’ve seen the 2D barcodes next to a message that says something like, “scan here for a free coupon!” at your local deli, or on the back of your soft drink cup. These 2D barcodes are called QR codes, and can contain a short amount of data, such as a contact profile, or the link to a website. A malicious QR code could point the target’s phone to a malicious website.
- Near-Field Communication (NFC). A recent development, this technology allows two devices to physically touch, in order to share information. Unlike bluetooth, Smart Phones that include NFC technology have it enabled by default – meaning, you can pass a malicious link or other malicious content just by bumping your phone against the target’s phone.
Bluejacking is unlikely to be successful, is inefficient, and not very fruitful. Other types of cell phone attacks are much more effective.
7. Virtual Reality
In the movies, accessing a computer system is visualized as a 3D virtual interface, with pipes and 2001-like visual effects connecting computers to each other, and browsing for information consists of “moving” through a virtual landscape of physical objects representing files or information, such as file cabinets. Firewalls and other security become “locked doors”, and the worst movie offenders anthropomorphize security controls as “guards”, attack dogs, or other pseudo-living creatures.
Virtual reality consists of these elements:
- Immersive visualization. Either in flat, two dimensions (2D), or with depth (3D), the visualization experience is completely immersive, meaning that you don’t see the real world, because you’re wearing goggles or looking at a room-sized display that completely fills the field of view. Most gaming rigs (high-end personal computers) don’t quite meet the definition of virtual reality, simply because the user is still staring at a monitor.
- Motion tracking. Moving your head or hands moves your field of view.
- Manual controls. You use your hands (with motion tracking) to manipulate the environment.
- Physical feedback. Bumps and vibration built in to the virtual gear provide feedback about events in the virtual environment. When you virtually touch something, moving your hand in the real world, your “virtual glove” vibrates to confirm the virtual event – to let you know that you have virtually connected with a virtual object.
Virtual reality is good for the following use cases:
- Visualizing complex structures. Things that can’t normally or efficiently be rendered in two dimensions can be visualized in 3d. Complex 3D structures, as well as upper-dimensional constructs may not be clear when rendered and displayed on a conventional monitor.
- Telepresence and virtual workgroups. Bringing a user to the work, or multiple users together across multiple geographic locations.
- Remote Control. Piloting drones or performing surgery requires an immersive experience and fast, precise, lifelike controls.
- Gaming. As one of the original use cases for VR, and still a major driver, video games continue to become increasingly realistic and immersive.
Originally, VR gear was heavy, bulky, crude, and power-hungry. Now, devices such as the Occulus Rift promise consumer-obtainable VR with good performance, low power requirements, and decent precision. Controller technology continues to improve, and there are many commercially-available 6DoF (6 Degrees of Freedom) controllers on the market.
Unlike what you see in the movies, outside of the use cases listed above, it’s often easier to use a conventional interface to access programs and information – this is the standard “windowed” interface used by most operating systems on the planet.
8. Camera Systems
Camera systems provide a way to monitor or view a specific area, and are a very visual tool. As a rich source of movie myths, we see a wide variety of visual effects, most of which have nothing to do with how camera systems actually work.
8.1. Mistake: Security Camera Recording Follows the Subject
Beyond being a myth, when you see this in TV shows or movies, it’s an outright mistake!
In the movie, a crime has been committed. The team immediately goes to the security office to view the security camera recordings, and we cut to the camera’s point of view. As we watch the subject commit the crime, our point of view pans to follow the subject!
Cameras absolutely can shift their point of view – these are known as “Pan-Tilt-Zoom” (PTZ) cameras. PTZ cameras must be directly controlled by someone, such as a security guard. Assuming no one was watching the camera at the time the crime was committed, who was controlling the camera? Answer: a healthy dose of Hollywood magic, designed to make the scene more dramatic or interesting.
Some cameras and camera systems provide a small degree of motion tracking, but this is usually either a system using fixed cameras, where motion triggers the computer to “zoom in” to a specific region where the motion was detected, or parallax motion tracking systems employ ultrasonics or other means of detecting and following the subject. In both cases, the motion is not smooth, and often requires quite a bit of motion. The subject is rarely in the center of the frame.
Any movie scene showing previously-recorded, supposedly fixed camera that “magically” follows the subject is completely fabricated!
8.2. Myth: Camera Zoom
In the movies, the good guys zoom in to a camera freeze-frame multiple times in order to enlarge the suspect, a license plate, or some other important detail. The camera shows the detail with perfect clarity.
Any recording method, including tape, film, or digital, has a specific resolution – the density of pixels (dots) used to compose the image. A printed photograph can have a resolution of hundreds to thousands of pixels per inch, while a digital image, usually measured in megapixels, has a resolution of maybe a hundred pixels per inch. “Megapixels” refers to the total number of dots in the entire image. If an image is 1920 pixels wide by 1280 pixels tall (HD), the resulting image is 2,457,600 pixels, or about 2.5 megapixels. 1920 x 1280 is the resolution of a High Definition camera image – each frame is 2.5 megapixels.
To see any kind of usable detail, you need an image of about 100 pixels by 100 pixels – for example, if a person’s face or a license plate is composed of about 10,000 pixels, then you can see a decent level of detail. If an HD camera covers a 20 foot by 16 foot area, then each square foot of the image consists of about 96 pixels by 96 pixels – meaning you could zoom all the way in, and still see someone’s face or a license plate.
Satellite images, especially from military satellites, are measured in gigapixels (billions of pixels), allowing you to take a picture that covers hundreds of square miles, and zoom in to the level of detail of a license plate. This type of image requires a tremendous amount of storage, and isn’t suitable for real-time recording.
Most camera systems have a much lower resolution, because higher resolutions require more storage space. Most cameras are 640 x 480. The same area (20ft x 16ft) covered by a standard “VGA” camera yields only about 24 pixels per foot, or about 600 pixels per square foot – way too few pixels to view details with any clarity!
Zooming in past the resolution of the camera results in a blurry or pixelated image.
Zooming in from a wide angle view to a very small detailed area is beyond the capability of most camera systems.
8.3. Myth: Focus and Image Enhancement
In the movies, the hero techie zooms in to try to see the villain’s face or license plate, but it’s blurry. A quick “focus” later, and you can see the villain clearly!
Alternate scenario: The hero has a picture of the villain’s face or license plate, but it’s highly-pixelated. The techie runs a quick “image enhancement” routine, and voila! A perfectly-clear picture.
These two myths are closely related, as they both deal with the same fundamental principles.
- Focus is the ability to bring sharpness to an object in the foreground (closer to the camera) vs. the background.
- Most security cameras use pinhole focusing, so that the lens has no specific focal length, meaning, everything is in focus, all the time. For PTZ (Pan-Tilt-Zoom) security cameras, zooming in doesn’t result in a loss of focus.
- Focus is only available PRIOR to recording, because it acts on the light entering the camera. Once the image is recorded, it has been written as a set of pixels, and no further manipulation of the light is possible.
- Image enhancement is an algorithm (often called a “filter”) that attempts to estimate detail based on groups of pixels within an image.
- There are entire books written about image enhancement, and hundreds of different techniques. Governments develop proprietary image enhancement methods, that can sometimes be closely-guarded state secrets.
- Even the most sophisticated image enhancement filters are simply guessing about what was originally there – you will never be able to reproduce the original detail exactly as it was, if for example, the original detail was removed from the recorded image due to poor resolution.
- Multiple image enhancement filters can be applied to the same image, to enhance different details or they may be applied in sequence, where the output of the first filter is the input of the second filter.
- The most sophisticated image enhancement processes (end to end, using any combination of filters) can ONLY produce an image that approximates 2.5 times the original resolution. So if you have a poor quality picture, where the bad guy’s face is about 20 pixels by 20 pixels (400 pixels, or enough to get a vague likeness, but not enough to see detail), the output, at best would be 50 x 50 (2,500 pixels), meaning, SOME detail will be visible (if the enhancement process was successful), but still less than ideal.
- Image enhancement can be applied to an image prior to recording (“on the fly” enhancement) or afterward.
Focusing an image AFTER it has been recorded is a movie myth. Likewise, the ability to take about 10 pixels and reconstruct a perfectly-clear image is way beyond the capabilities of image enhancement as it exists today.
8.4. Myth: Cameras and Keyboards
In the movie, a critical camera recording is being reviewed by a technician, while the hero watches over his shoulder. The hero, looking at a freeze frame says “zoom in on his face”. The techie types some commands in to the keyboard, and the image zooms in. The hero asks, “can you make it any clearer?”, to which the techie responds, let me focus. He types some commands, and the picture becomes somewhat clearer. The techie says, “let me run image enhancement”, types a few more commands, and…. BOOM! The villain’s face, clear as a bell, pops in to focus on the display.
Unless you live in the 1980’s, no one uses a keyboard for this type of operation. Typing keystrokes probably gives the character more credibility than watching them fumble around with a mouse, but clicking and dragging is about a hundred times faster than typing.
Early video editors used keyboards – a standard that is still in use today. Keyboards are a quick way to invoke a specific function using a specific key, such as play, stop, advance frame, fast forward, etc… When dealing with a specific portion of an image, one would have to know the approximate coordinates. So let’s say you have a VGA image (640 x 480 pixels), and the villain’s face is at the top, center of the frame. You would have to know what pixel coordinates constitute the rectangle where you want to zoom. Too much mental math! It’s much easier to click and drag with a mouse, visually selecting the area you want.
Image enhancement routines CAN be external programs, but typically, they are built in to the main editing application. Any built-in function would simply appear on a menu, from which you could use a mouse to select it. Although you could configure hot keys, or perhaps a macro to run several filters in a specific order, this would not require “commands” that are typed in to the keyboard.
Typing looks cool, but real people use mice!
Some technology myths are repeated so frequently, that the general public believes the myth itself, without understanding real technological limitations.
For writers, it’s easy to stretch the technological capabilities of real-world systems, because it’s a way to quickly find the villain or resolve some other plot point. However, to accomplish this well, a solid working knowledge of the technology allows the writer to paint a more realistic scenario. Good writers and directors employ a technical consultant, who can bridge the knowledge / myth gap, ensuring that the use of technology is realistic and appropriate. When watching movies or TV shows that leverage technology as a plot point, it’s often painfully evident which ones have the technology right, and which ones don’t!
Hopefully, this article has helped debunk those high-tech Hollywood cliches, where the writer simply took a short cut.