Cybersecurity in Johnny Mnemonic | Kaspersky official blog

The future that William Gibson imagines in the short story that inspired 1995’s Johnny Mnemonic essentially epitomizes cyberpunk: edgy, dangerous, extremely advanced, highly technical. The movie being set in early 2021, we decided to analyze the cinematic version from the viewpoint of cybersecurity, comparing the fictional 2021 with our own.

The setting of the movie

The film plays out in a rather gloomy world, one controlled by megacorporations and plagued by a dangerous pandemic known as Nerve Attenuation Syndrome (NAS). The cause of the disease, in the words of one of the characters, is: “Information overload! All the electronics around you poisoning the airwaves.”

Megacorporations, pandemics, conspiracy theories about new tech rollouts. Sound familiar? Well, it’s only partially accurate: In this cinematic 2021, microchips holding gigabytes of information can be implanted into the human brain; in reality, despite Elon Musk’s best efforts, we’re not there yet. We won’t bother dismantling the classic 1980s/90s movie depiction of the Internet as a wacky VR universe. That’s not the Internet, at least in 2021.

Pharmakom Industries

According to the movie’s plot, a cure for NAS actually exists, but Big Pharma is keeping it quiet — treating the symptoms is far more profitable than ridding humanity of the disease. Some Pharmakom employees disapprove and not only steal medical information, but also destroy the company’s data.

That reveals a number of major flaws in Pharmakom’s security system:

  • Its scientists’ data access permissions are too generous. Sure, drug developers need access to read operational information, and even to write to the server. But why give them permission to permanently delete classified information?
  • Pharmakom has no backups (at least, nothing offline). That means much of the rest of the plot — involving the mad pursuit of the “mnemonic courier” (more about that below) — rests on the company needing the data back. With backups in place, Pharmakom could simply have restored the data, then eliminated the leak and the courier. Instead, the plot demanded the company try to saw off his head without damaging the implant inside.

It’s also worth mentioning that the Pharmakom network contains a digital copy of the consciousness of the company’s founder. The AI not only possesses free will and access to the entire Internet, but also tends to disagree with the way the corporation is developing into something monstrous.

Lo Teks

A group known as the Lo Teks represents the resistance. In the original story, the Lo Teks were antitechnology, but in the movie adaptation they seem quite up to date. Living with them is Jones, a cyborg dolphin whose hacking skills help him extract valuable information, which the Lo Teks then transmit using a hijacked TV signal. At the center of the group’s shelter is a mountain of rubbish featuring wires and old cathode-ray-tube TVs.

Despite the group’s on-air antics, no one pays much attention to the Lo Teks (or even locates them) until they come into contact with Johnny.

Online communication

Partway through the movie, Johnny tries to contact an acquaintance. That’s when we realize Pharmakom’s experts, working with the Yakuza, are tracking his regular contacts — fantasy 2021 privacy is even worse than present-day reality.

One might think a hacker-smuggler can manage online anonymity, but no, everyone knows Johnny’s connections, and infosec experts immediately sniff him out (even though he goes online from a completely new, stolen computer and with some kind of stealth module) and pinpoint his location.

Along the way, Pharmakom activates a “virus” to interfere with Johnny’s communication. As usual in movies, the terminology is rather loose, the virus seems more like some sort of DoS attack tool than an actual virus.

Mnemonic courier

At long last, let’s get to the main theme of the movie, which is related directly to information security — consider the title character’s profession. As a mnemonic courier, Johnny’s head is literally a data storage device. Such couriers are used to smuggle highly valuable information that cannot be entrusted to the Internet. The rebel scientists choose Johnny to convey the medical data they stole from Pharmakom to a team of doctors in Newark.

How the implant works

The technology here is incomprehensible: The data is stored directly in the brain, and to make room, Johnny has had to sacrifice most of his childhood memories. The nominal capacity is 80 GB, expandable to 160 GB by briefly connecting to an external box, but in fact it is possible to upload twice that amount, boosting capacity up to 320 GB. That squeezes the brain, causing the courier to suffer from seizures and nose bleeds, and the information can be damaged as well.

In the movie, the implant is not hard to detect. For example, when crossing a border, people are scanned and the device appears in those scans. But the scans seem rather superficial; the system falsely reports the brain implant as a device for counteracting dyslexia. Why the device arouses no suspicion among the border guards is not clear.

Data protection

The data protection method is nothing if not original. During upload, the client randomly takes three TV screenshots. The images “dissolve in the data” and serve as the “download key.” Without them, it is impossible not only to download the data, but even to delete it, so the same screenshots must be sent to the recipient. By the look of it, then, this safeguard has to do with encrypting the actual data, but it’s also an implant-access mechanism.

As soon as they upload the data, the scientists are attacked by Yakuza operatives working for Pharmakom. One screenshot for the key is destroyed in the ensuing firefight, Johnny keeps one, and one goes to the attackers.

Sending the key

The “key” is sent by fax. That’s not as funny as it sounds; although the technology is outdated in the real 2021 faxing the key makes some sense because it makes direct use of the telephone network, which can, in theory, be safer than using the Internet. Unfortunately, faxing tends to degrade image quality. Also, in the movie, all fax machines are available from the Internet, so there goes that.

After escaping from the Yakuza, Johnny tries to recover the missing screenshots. He finds the originating fax machine and its logs in a hotel’s information systems, the password for which he brute-forces on his third attempt. The password can’t have been very strong. That, it must be said, corresponds perfectly with our 2021: For many hotels, security still means a guard at the door. In any case, Johnny manages to get the recipient’s fax machine address.

Connecting to the fax requires no authentication. Moreover, by connecting remotely, anyone can read data from the buffer, thus rendering this communication channel totally unsuitable for confidential data.

Extracting the data without the key

The situation seems hopeless. Without the key, Johnny can neither download nor delete data from his head, and with the maximum allowable capacity twice exceeded, he will soon die and the cure for the pandemic will be lost.

But wait, there are, in fact, many ways to extract information without the key (leading to consequences of varying severity):

  • The Yakuza try to saw off Johnny’s head so they can take it to a “quantum interference detector” to extract the data.
  • A doctor who specializes in implants has some “decryption codes” that, with a little luck, should enable data retrieval. It doesn’t work in this case, but everything seems to suggest that sometimes it does, which raises a ton of questions about the reliability of the encryption algorithm.
  • Next, the same doctor proposes extracting the data and the implant surgically, though that carries a considerable risk to the life of the patient (not to mention guaranteed health problems).
  • Having been trained by the US Navy to hack enemy submarines remotely, Jones the cyborg dolphin can try the technique on Johnny’s skull.
  • A Yakuza operative mentions that even after download and deletion, “mnemonic sensors” can still recover residual traces of the data.

Bottom line

Using mnemonic couriers seems pointless. The scheme apparently uses symmetric encryption (no matter how complex the key is, it still has to be transferred to the recipient), the key transfer occurs over unprotected channels, and the implant’s overload capability violates all safety regulations, jeopardizing both the courier’s health and the integrity of the data. But the method’s main weakness is that it leaves a plethora of ways to get the data without the key.

Moreover, with only two of the screenshots, Johnny, with the help of his aquatic sidekick, hacks into his own brain and extracts the third. That means the key is stored with the encrypted information, a highly insecure practice.

In the real 2021, sending the data over the Web using a reliable asymmetric encryption algorithm would be easy. Even if the fact of a data transfer cannot be hidden, the strategy would guarantee delivery to the addressee. And 320 GB is not such a large volume by our 2021 standards.

What came true and what didn’t?

The real 2021 is not as bleak as the filmmakers imagined — or, at least, it’s not as bleak in the same ways as the filmmakers imagined. Cybersecurity has come a long way. So, which of the above could actually happen?

  • In the real 2021, multiterabyte archives of confidential information, including vaccine data, are leaked almost regularly. The Pharmakom data leak is plausible and very possible.
  • Insider attacks and sabotage are similarly not at all unusual. This recent incident also related to healthcare, for example.
  • Artificial intelligence, self-aware and living online, does not (as far as we know) exist yet.
  • A cyborg dolphin with hacking skills is a little far-fetched. Contra many sci-fi predictions, dolphins have not yet learned to perceive human information and use electronics.
  • Broadcast signal intrusion, on the other hand, is real. But it is usually done on a small scale, and the intruders are quickly identified.
  • Identifying a person online based on a connection to a certain address is a real thing, but it requires extensive groundwork.
  • A DoS attack on the link between two network clients is real, but done not with a virus, but rather by disabling the communication channel.
  • Implanting a chip into a person’s brain is not yet reality. Current experiments focus on creating a neural interface for communication with a computer, not on data storage.
  • Here’s the big one: Transferring data by pumping information directly into a human courier’s brain is not only unrealistic but nonsensical. Thanks to encryption, we can easily and securely transmit data over the Internet.