A modern take on the movie Hackers

Several common misconceptions hinder the widespread adoption of cybersecurity culture. One myth — hackers are really smart, so it’s pointless to fight them —was popularized in particular by the movie Hackers, released exactly a quarter of a century ago. The movie gave rise to a set of clichés still employed by the film industry.

Indeed, the movie’s misfit heroes and their adversary, Plague, an infosec expert at Ellingson Mineral, are portrayed as highly intelligent geeks able to find and exploit vulnerabilities in any information system.

For example, the main character is equally at ease breaking into a school database and a cable operator’s network. Phantom Phreak makes calls from payphones to Venezuela without paying a cent. Even Joey, the group’s youngest and  least-experienced hacker, manages to gain access to the Gibson supercomputer at Ellingson Mineral. It all looks quite impressive (for 1995) but let’s take a closer look at the crew’s accomplishments.

Hacking a TV station

The protagonist, Dade (aka Crash Override), breaks into the network of a TV station to replace a dull show with something more captivating. He does so by calling the night guard, posing as an accounting employee who needs access to his computer, and asking the guard to read out the phone number on the dial-up modem.

On the one hand, it’s basic social engineering. On the other hand, it’s lunacy on the part of the company — and I’m not even talking about the haplessness of the guard. Why is the accountant’s computer on the same network that controls the broadcast? Why does it have a modem constantly waiting for an incoming call? Why is the phone number written on the modem?

While that intrusion is going on, it turns out another hacker is already inside the company’s network: Kate, aka Acid Burn. How did she get there? Well, the company probably has other computers with exposed modems.

Hacking Gibson

Novice hacker Joey breaks into the Gibson supercomputer. That is, he logs in through a modem from home using the head of PR’s super-secure account password, god. That’s despite every character in the movie (including said head of PR and Plague, who is responsible for the company’s security) knowing that the most common passwords in this flick’s reality are love, secret, sex, and god. What’s more, the head of PR has superuser rights for some inexplicable reason. All told, the hackers’ “great” achievement is less about ingenuity than corporate fecklessness.

Plague’s skullduggery

The movie’s plot revolves around the cunning scheme of the hacker Plague, who works at Ellingson Mineral. He writes a piece of malware to salami-slice a few cents off every company transaction, and transfers the proceeds to a secret account in the Bahamas. That might have been an original plotline had a similar scheme not been deployed 12 years earlier in the movie Superman III. For some reason, everyone describes the malware as a worm, although the film says nothing about its distribution and replication.

Based on that information, can we really consider Plague a cybercriminal genius? Hardly. He heads information security at a company where no one apart from him has the first clue about the subject. And he’s in cahoots with the head of the PR department, effectively giving him carte blanche? It’s an insider attack; the problem is not so much a lapse in cybersecurity as the company’s recruiting policy.

Da Vinci virus

When Joey accidentally downloads part of the “worm,” Plague launches a virus (again, it’s not clear if it actually is a virus, or whether the writers just liked the sound of what in 1995 was a new term for most moviegoers) by the name of Da Vinci. The malware seizes remote control of the target company’s oil tankers with the potential to capsize them by pumping water into the ballast tanks. In fact, though, the “virus” is a red herring.

Plague is simply using it to (a) divert attention from the money-grabbing “worm,” (b) accuse Joey and pals of hacking into the company and ultimately blame them for the “worm,” and (c) turn them over to the Secret Service, get inside Joey’s computer, and find out what information has leaked — not to mention buy time for the malware to siphon off more cash.

In fact, such a “virus” is way too futuristic for that time. For a start, the very idea of a seagoing vessel in 1995 being permanently connected to the operator company’s navigation systems is crazy. First, the Internet is not needed for navigation either today or back then; the GPS system was already fully operational and available to civilians.

Second, for a ship to have been constantly online in the mid-1990s plays fast and loose with reality. Data transfer by satellite didn’t exist then; it would have required a permanent — and prohibitively expensive — modem connection over a voice line.

Moreover, tankers (which could be classified as critical infrastructure) do not have backup manual systems for ballast water injection control. The process is fully computerized. For that matter, a computer is perfectly capable of failing even without malware. In short, for the Da Vinci virus to work, someone would have had to lay the long and laborious groundwork to sabotage the merchant vessel, including at the stage of ship design.

Preparing for the showdown

The protagonists decide to stop the dastardly Da Vinci and obtain the full code of the “worm” to find out where the stolen money is being transferred. Their preparations are nothing if not thorough. But here the movie begins to go off the rails.

The hacker Cereal Killer impersonates a telephone company employee, infiltrates the building of the US Secret Service, and plants a bug there. (Why none of the employees, supposedly professionals, suspects a teenager in saggy pants is a mystery, as is his off-screen punishment.)

Dade and Kate sift through Ellingson Mineral’s trash and steal some papers. That bit’s believable — even today not every company monitors how and where its garbage gets chucked. But a perusal of the trashed documents handily serves up 50 passwords that can be used to penetrate the corporate systems. More a gusher than a leak.

The final battle for Gibson

The main characters ask the hacker community for help, and together they bombard the supercomputer with viruses. At this point, the film has finally lost all connection with reality. Unfortunately, we know nothing about the architecture of Ellingson Mineral’s information systems, and therefore can’t quite work out how a throng of attackers can simultaneously connect to Gibson, upload an assortment of viruses, and download the “worm.”

It is not even clear whether they acted over the Internet or somehow connected directly to the company’s internal modems. In any case, Plague somehow pinpoints the source of the attacks.

At this point, the curious phrase “Multiple GPI and FSI viruses” is heard. GPI stands for General Purpose Infectors, a long-outdated name for viruses that can be embedded in any executable file. FSIs, or File Specific Infectors, are viruses that target files of a certain format. In other words, the phrase basically means that the security team can see a lot of viruses.

International calls

Throughout the film, the hacker known as Phantom Phreak uses payphones free. The technique, which seems the least plausible from a 2020 perspective, is actually the most credible. In those days, phreaking — breaking into telephone systems — was a core part of hacker culture, hence Phantom Phreak’s name.

To make free calls, he uses a device that generates tones to simulate coins being inserted into the phone, a ploy known as red boxing. It really did work, and instructions were widely circulated in hacker communities even in the pre-Internet age. Thinking that coins had been dropped in, payphones signaled to the billing system how many minutes to give the phreaker.

By 1995, red boxing was already on its way out. Telephone companies, aware of the vulnerability, were busy implementing protective technologies such as frequency filters, duplication over digital channels, and ways to physically verify the number of coins inserted. But red boxing was still in play at the time of the movie’s release.

Equipment

Of special interest is the equipment used by the hackers. Kate, hailing from a wealthy family, works on a P6 laptop, which she says is “three times faster than a Pentium.” That’s a reference to the Pentium Pro, the first of Intel’s sixth-generation x86 microprocessors. In those days it really was the world’s most powerful chip, and it was released, like the film, in 1995. And Kate’s modem could clock a speed of 28,800 kbps — another best for that time.

However, a closer inspection reveals that when connecting through public telephone booths, the protagonists use what looks like an acoustic coupler, which converts acoustic signals into digital ones. That’s an extremely unreliable contraption that supported only 1,200 kbps, and by 1995 it was hopelessly outdated. Still, it looks impressive.

Pure fantasy

Other moments in the movie also stretch the imagination to the breaking point. Among other things, the hackers go after a government agent, during which they:

  • block his credit card;
  • add bogus traffic violations to his record;
  • declare him dead in the Secret Service database.

It is not clear how they manage to do all this, but, once again, it is more testament to the incompetence of the bank, the police, and the Secret Service than to the ingenuity of the hackers. The only convincing trick the hackers play is posting a lewd ad on a dating site. But that doesn’t take hacker skills, just a particular sense of humor.

And the finale wouldn’t be complete without the antiheroes causing chaos by hacking the city’s traffic lights. Classic.

The bottom line

Even on-screen hackers are not superhuman; they simply exploit the mistakes and stupidity of others. And most real-life attackers are even less expert, hardly evil geniuses. Our Kaspersky Automated Security Awareness training platform helps clear up this and many other misconceptions, teaching employees to avoid obvious mistakes.