Source: by Jason Sattler | F Secure
One reason there aren’t many great movies about hacking is that there just aren’t that many movies about hackers. Tomi Tuominen, Global Technical Director for F-Secure Consulting, has a theory why the art of breaking into computers rarely makes it to the big screen.
“Honestly, there are no movies that feature hacking properly, mostly because hacking rarely is something that you could visualize easily,” he said.
Watching hacking is generally like watching paint dry for months, he says. It’s not exactly a satisfying cinematic moment to watch an evil villain finally brought to justice by clicking on a link in an email.
For a quick thought experiment about why it’s so hard to put hacking on film, think about the big hack that Tomi his colleague Timo Hirvonen revealed in 2018. They came up with a key that could open hotel locks around the world. Neat, right?
The story begins with a somewhat exciting scene at a hacker conference in Berlin where the pair’s friend’s laptop is stolen from a hotel room without a trace. Pretty good scene. Cut to more than a decade of Tomi and Timo spending their spare time figuring out every possible way that keycards cannot be hacked, until finally they figure out the one hack that works. And what do they do with this information that they spent large chunks of their lives uncovering? They go to the manufacturer so the vulnerability can be fixed.
Inspiring? Yes. But it’s not exactly Casablanca or Scarface.
Yet there are a few movies — and one TV show — that F-Secure’s cybersecurity experts feel capture the spirit, if not always the exact technical drudgery, of hacking.
Sneakers
Principal Security Consultant Tom Van de Wiele feels 1992’s Sneakers illustrates a number of key concepts about hacking and penetration testing — as long as you take it with a grain of salt.
“It shows that the success of a compromise or hack is not the result of a single tool, method or person like in most other hacker movies, but rather the result of a collective or based on the work of individuals that came before you,” he said. “In addition, I think it does a good job of demonstrating the dangers of governments having access to secret backdoors or master keys, and what the risks are of having a master key to something. Especially when the master keys falls into the wrong hands.
The film provides a Hollywood-ized depiction of social engineering, targeted surveillance, open-source information gathering, physical intrusion of buildings, intrusion detection evasion, computer hacking over the phone lines, “phreaking” AKA telephone hacking, access control “hacking” and reverse engineering.
While some of the film’s tactics are realistic, Tom noted that he and his fellow red teamers at F-Secure never feel the need to invade the personal space of businesses they test, the way the hackers in Sneakers do.
“History has shown us that targeting employees at a company in and around their personal living space happens and is performed by foreign spies, but it is unnecessary, excessive and usually even illegal in the corporate world. Whatever the risk is of abuse or misuse caused by an employee or through their privileges can be simulated in ways that does not endanger anyone’s personal lives in any way.”
And Tom also praised the film’s “Easter eggs,” hidden notes in that nod to cyber security sources for some of the film’s plot.
War Games
Mikko Hypponen — F-Secure’s Chief Research Officer — shares Tom’s appreciation for the winks in Sneakers. He also enjoyed the only other film from the brains behind the Sneakers — 1983’s War Games.
“They both center on hacking, and they were written by the same writers: Walter Parkes and Lawrence Lasker,” he said. “In War Games, the main character was inspired by a real-world hacker David Scott Lewis. Also, there’s a math scene in Sneakers which had math calculations created for it specifically by Len Adleman. Mr. Adleman is better known as the ‘A’ from the abbreviation ‘RSA.’”
Mikko also gives an honorable mention for the realistic hacking in a movie not necessarily known for realism.
The Matrix
“My favorite hacking scene is from The Matrix series, specifically when Trinity uses Nmap version 2.54BETA25 to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 vulnerability. This was all very real and doable,” he said. “Matrix was probably the first mainstream movie to get a hacking scene so right.”
So while you cannot freeze time to avoid bullets, you can actually exploit a vulnerable SSH server using the SSH1 CRC32 vulnerability — though you probably shouldn’t try to do either.
Hackers
Andrea Barisani—who hacks systems on cars, planes and ships as F-Secure’s Head of Hardware Security — also puts War Games on his very short list of hacker cinema classics.
And he also includes 1995’s Hackers.
Andrea says both are “both pretty realistic in terms of techniques use — except for ‘the Gibson’ in Hackers, but, hey, we all secretly want that to be true.”
Here’s the “Hack the Gibson” scene. Definitely do not try this at home.
But the technical details in these films aren’t what makes them stand out for Andrea.
“I tend to like such movies more for the mindset they portray rather than the tools and techniques involved,” he said. “Having said that both movies feature vintage, but awesome, phone phreaking acts.”
If you want a depiction that almost gets hacking right, a two-hour film probably won’t ever be the right form for you. But a television series might be.
Mr. Robot
“If we leave out the movies, the most realistic hacking scenes can be found on the TV series Mr. Robot,” Tomi said.
He praised the “wide range of hacking techniques/tools/effects” shown over the course of the show’s 45 episodes, which delve deep enough into hacker culture that they include a “Capture the Flag” competition that the show’s protagonist solves in about a minute.
Hackers may be too complicated for Hollywood
Another reason filmmakers may struggle with telling stories about hackers is that society is very conflicted about what hackers do. Like the witches in the Wizard of Oz, there are good hackers and bad hackers. And they both use similar techniques.
“This term has been unfortunately twisted toward negative connotations, and it didn’t use to be like that,” Andrea.
While the techniques hackers use may go out-of-date, Andrea feels the mindset never ages. Hackers hunt for weaknesses and depending on their inclination, they either exploit vulnerabilities or try to fix them. And Andrea believes the good that hackers do is even more relevant today than ever.
“A good hacker cannot rely solely on tools. It’s a combination of skills, mindset, motivation…the tools are secondary.”
Or, as Tomi says, “A fool with a tool is still a fool. It is the mindset and persistence that matters.”