As the taut plot of USA Network’s drama series “Mr. Robot” careens into its fourth and final season, the television show’s cybersecurity consultant, James Plouffe, is ready to reveal his role.
Working behind-the-scenes for three seasons, Plouffe’s role was critical to give the show a cadence and timbre of the reality of the hacking world and enterprise IT, one that “Mr. Robot’s” lead character, Elliot Alderson, who is played by actor Rami Malek, infiltrated, decimated, and feels compelled to resurrect.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Plouffe’s background in cybersecurity informed his input to “Mr. Robot’s” tech producer, Kor Adana (the so-called buffer between the tech consultants and actors). Plouffe consulted on seasons one to three, and his involvement came about rather organically, which he described in a way as cryptic as Mr. Robot’s machinations.
He explained, “It started by demonstrating a man-in-the-middle attack to an intern, as a way to encourage the office free-loader to stop stealing departmental donuts, followed by a chance encounter in LAX, and a vague reference to a future need for help, and finally with a phone call that began, ‘You’re on speaker with the writers’ room, they have some questions…'”
TV consulting is only a side-gig for Plouffe. His full-time job is working in technology and security strategy at MobileIron, which focuses “on securing the computing devices people use everyday like smartphones, tablets, and laptops, and the cloud services those devices connect to.”
Plouffe’s job provides him with “a great opportunity to keep up with the latest tech and a convenient excuse to buy the latest gadgets.”
SEE: How to become a cybersecurity pro: A cheat sheet (free PDF) (TechRepublic)
Not surprising, having updated cybersecurity and product knowledge were essential prerequisites for Plouffe and his fellow tech consultants, who were brought in to “build a technically accurate representation of computer interfaces or attacks.”
Even if only a small percentage of the show’s audience understood and appreciated the types of hacks depicted in the series, it was important that cyberattacks were portrayed as historically accurate and credible. For example, characters on the show experienced Stagefright, which targeted Android phones, and was a top security concern in 2015.
“Stagefright was one of the vulnerabilities that we included, attributing its discovery to members of [the show’s hackers] fsociety, rather than [the actual discoverer, Zimperium’s] Joshua Drake,” Plouffe explained. “We also showed tools like Kali Nethunter and the USB Rubber Ducky by Hak5. One of the attacks I was most pleased with [to introduce into the show] was the use of a Raspberry Pi to interfere with the climate control systems at a tape vaulting facility.”
In order to help the writers, prop makers, and visual effects teams, tech consultants would take pictures of equipment, review pictures, and sometimes even create screen recordings that could be the basis for animations used in the production.
While he didn’t work directly with Malek or the rest of the cast, Plouffe said most of the actors had basic tech skillsets that ranged “from rudimentary to pretty adept.”
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
He did, however, work closely with the show’s writers. “I helped writers select relevant, real-life exploits and vulnerabilities throughout my time as a consultant,” Ploufee said.
Show creator Sam Esmail, and tech producer, Kor Adana “wanted to show that hacking isn’t some mystical art performed by some wizard banging on a keyboard,” Plouffe said. “They wanted to show that you could present technology in general and hacking in particular in a way that was accessible to a generalist audience, so they relied on the tech consulting team to help them bring real-world examples and situations into the plot.”
Plouffe worked as one of two tech consultants in season one, one of five in season two, and one of four in season three. Most of Plouffe’s fellow tech consultants were “active in tech and had backgrounds that included hacking and security research, enterprise security and defense, and law enforcement.”
“It was our job,” he continued, “to help Kor build a technically accurate representation of computer interfaces or attacks, and his job was to explain it to the actors in the context of the scene.”
Despite the global cyberthreats depicted in “Mr. Robot,” the goal was for all of the tactics, techniques, and procedures (TTPs) of all the characters was to make them plausible. “Because the show was set in the past, we had the benefit of treating vulnerabilities and exploits that were well-known in real life as if they were new or undiscovered in the timeline of the show. This also meant that proof-of-concept or demo code created in the real world could be used by the show’s characters,” Plouffe said.
SEE: Launching your cybersecurity career: 10 jobs to consider (free PDF) (TechRepublic)
Hollywood vs. reality
While the fourth season is set in late 2015, it doesn’t reflect the most recent threats. However, Plouffe said, the threats are real and may still be viable. Each storyline accurately reflects the motivations of some attackers, as well as the techniques–such as social engineering–that they employ.
“You also see characters in the show using real software like Kali Linux, and the tools that it includes, and hardware devices like the USB Rubber Ducky, all of which are very much in widespread use,” said Plouffe. “Even though the show is technology-centric, I would say it is the characters, and their struggles that drive the popularity. I think the fact that we are dependent on technology for so many things helps reinforce a lot of what happens in the show, and I hope it makes people stop and think about how to use technology more safely and responsibly.”
As for a future cybersecurity solution, Plouffe believes that the future looks a lot like the past. “Mobile operating systems have made—and continue to make—great strides in their fundamental security, but they are not perfect and security solutions will need to continue to evolve to provide prevention and detection given constraints like application sandboxing and a lack of highly privileged access to the underlying OS,” he said.
It will be interesting to see how this all unfolds on “Mr. Robot.” Plouffe is especially excited since he’s not just a technical consultant–but also a fan.