The hacker flick Blackhat definitely uses the language of cybersecurity, real terms like: malware, proxy server, zero day, payload, RAT, edge router, IP address, PLC, Bluetooth, Android, PGP, bulletproof host, and USB, to name just a few. But how real is the plot of Blackhat, with its malware-induced scenarios of physical and financial mayhem?
I went along to a screening of the film with some of my ESET colleagues to find out if there were any useful lessons to be learned from this latest contribution to the hacker movie genre (for a review of this genre from the security expert's perspective check out Hacker Movies We Love & Hate on Dark Reading).
Spoiler Alert: There are no intentional spoilers. I think I can talk about Blackhat without giving anything away, but if you are particularly sensitive to spoilers, you may want to go see the movie first. I cannot guarantee that reading what follows will not affect your viewing experience.
A plot worth following
First the good news, the underlying premise of Blackhat is a good one, at least in principle. Even if you don't buy Chris Hemsworth as a hacker or can't handle Michael Mann's obsession with hand-held video, you have to admit the movie got some things right:
- Using malicious code to cause physical damage is real (Stuxnet).
- Use of malware and/or fraudulent data manipulation of stock prices is real (Rustock, spam induced pump-and-dump scams).
- Use of convicted criminal hackers by the FBI and other law enforcement agencies is real (Sabu, Adrian Lamo).
- Hacking the NSA can happen (Snowden).
- The bad guys' Bluetooth messaging system was quite clever.
So, the plot of the movie builds on a solid premise. And most of the hacking you see performed in the movie is within the realm of the possible (some of it is downright plausible, like spear-phishing with a .PDF file and the use of USB drives as an attack vector). For me, that means the movie could work as an awareness raising exercise, for example, for anyone in the C-suite who still doesn't "get" that things like this can happen to their companies if there are holes in their security (that concierge in the scene at the bank building had clearly missed the company's security awareness session on spotting social engineering attacks).
I also think the movie works as a reminder of how vulnerable the world's industrial infrastructure is to attacks on network systems and the abuse of code. The plot involves a couple of infrastructure items that could be weaponized to devastating effect through manipulation of digital controls (not just the obvious one in the opening sequence).
Too fast and furious
Unfortunately, the way the plot is played out in Blackhat diminishes the technical accuracy (a common failing of hacker flicks). Set aside the love interest, which I felt came on too fast, and the shoot-outs, which are surely too much "heat" for a story about hacking. Just consider the coding: too much of it happens too fast to be realistic. Yes, I know it's "just a movie" but some admirable flashes of realism were undercut by the improbable speed of execution of some of the hacks. While I enjoyed the nod given to the very real phenomenon of malicious code recycling, the speed with which a booby-trapped .PDF was put together was a tad ridiculous, a lost opportunity to create some race-against-time tension by showing how tedious and time-consuming some aspects of malware creation and distribution can be.
Which brings us to the question of how well Blackhat works as a movie. Does it really sell the central premise that our world is in jeopardy from unbridled criminal and nation state hacking? I honestly don't know the answer because that will depend on how you feel about the acting and the filming. I've already alluded to the latter (my feelings about Mann's use of video mirror those of Peter Debruge, Chief International Film Critic for Variety). But I'm going to hold back on what I thought of the acting and leave it to viewers to decide how well they think it worked.
Before I look at any lessons your organization can learn from Blackhat, I will address two hacker-related questions: is Chris Hemsworth too good looking to be a hacker? and, is it plausible that a hacker would be well-trained in martial arts and gun play? As it happens, I do know some good looking guys who combine impressive whitehat hacking skills with a strong interest in martial arts and firearms. One of them went through a period of participating in live fire training exercises. And I know a computer forensics expert who's a sniper with a three letter agency. Being in good physical shape and hacking are certainly not mutually exclusive. One could even argue that Mann deserves some credit for casting against the hacker stereotype of the pasty-faced, slovenly nerd. As to whether Mr. Hemsworth was the right choice to play the lead in Blackhat, I will leave that for you to decide when you've watched the movie.
Lessons from Blackhat, the movie
1. Always enforce media controls: you don't want any old USB drive inserted in your systems, at least not without solid knowledge of where it came from and a thorough scan for malware upon insertion. Make sure autorun is disabled on windows devices.
2. Be very careful with any email attachment: ask yourself who sent it and why. Does it make sense that someone sent you this file? Err on the side of caution and call or text to confirm. Make sure all attachments are scanned with anti-malware. (For more on recognizing phishing messages read David Harley.)
3. Understand radio risks: the more we rely on wireless communications, the more effort the bad guys will put into messing with them, intercepting traffic to steal credentials and data, executing man-in-the-middle attacks, disrupting service, impersonating legitimate access points. (See my note on Software Defined Radio (SDR) in the Warning signs not seen section of this article.)
4. Don't rely on digital information: whenever possible, supplement digital versions of reality with your own five senses. Whether you are navigating a car or plane or boat, or running an industrial process, or monitoring security, bear in mind that digital feeds can be compromised. They may feed you bad data, intentionally or accidentally. Situational awareness means using your eyes and ears as well as digital indicators (just because your car's GPS says your route goes over the river doesn't mean the road does).
5. Empower employees to defeat social engineering attacks: from asking visitors for identification to confirming the legitimacy of telephone requests for sensitive information, every employee should be told it is okay to err on the side of skepticism. Indeed, skepticism about digital communications can serve us well in all walks of live (as anyone familiar with my colleague David Harley's posts on hoaxes and scams can attest, here's a link to a lot of them).
Update: I've only seen Blackhat once, so I probably missed some teachable moments -- please leave a comment and let me know if you saw anything noteworthy, or if you disagree with my assessment of the film.