Hollywood loves a good hacking scene. Supercomputers, neon strings of numbers dissolving across the scene, and introverted geniuses frowning in concentration are all staples of this infamous pastiche. Some scenes are so notorious that they’ve even got their own Subreddit page. But real-life hacking takes hours of work, years of knowledge and non-stop training. Can you really fit all that time and effort into a two minute on-screen montage? Immersive Labs’ real-life good guys have reviewed some famous television and movie clips and realized that most of the time these scenes are full of nonsense – but entertaining nonsense nonetheless!
Stefan Apostol, Senior Content Developer
‘Mr Robot’ / 2015 - 2019/ "eps2.3logic-b0mb.hc" 3rd August 2016 / USA Network / Universal Cable Productions / Sam Esmail
This is one of my favourite Mr. Robot scenes because of Elliot’s passion for hacking and gaining admin privileges over a network (in this case, the FBI's network). The scene starts off with an update of his system's package lists, a subtle but important technical aspect. Always update your system – thumbs up.
The next part of the scene shows all of Elliot’s terminals, including the system update, scripting, him logging into a remote server and downloading TOR (presumably his attacking server), and an IRC chat with his fellow hackers. Although this is only shown on screen for a split second, it’s quite important because it includes most (if not all) elements of an old-school malicious hack. Deserving of another thumbs up.
Elliot then begins to talk about his first hack. At the age of 11, he was able to get complete control over a network due to a vulnerable FTP server belonging to the city's public library. This sounds like a legit hack for someone of Elliot's age, because such vulnerabilities were quite common around that time. Another thumbs up.
The remaining part of the scene shows Elliot writing his exploit under the form of a Metasploit module, again pretty common since the Metasploit framework was designed for this and is quite an iconic tool in the world of cybersecurity. One more thumbs up.
Next, we hear a bit about the design of the malware and how everything will execute, ending with Elliot becoming a domain administrator on the FBI's network. The technical content of this is quite accurate and the thrill of owning an entire network (especially the FBI's) is as good as Elliot describes it. However, even with the Android zero-day he claims to have, it might not be so easy for a single person to stealthily own every FBI agent's mobile phone and the whole FBI network in a single afternoon. This being said, it is still a TV show about a genius hacker, so doesn't deserve any thumbs down.
Jaimi Anderson, Content Engineer
‘Hackers’ / 1995 / MGM/UA Distribution Co. / United Artists / Iain Softley
This scene gives you the impression that hacking or preventing hacking is just like playing a video game, but it's really not. However, it isn’t meant to make sense! It’s all metaphorical. It’s not realistic, but I kinda love it.
Helen Payne, Copywriter
I don’t know the ins and outs of what hacking entails, but it certainly isn’t this! If fending off viruses was as easy as typing ‘cookie’, we’d all be out of a job!
Taylor Mowat, Senior Content Engineer
‘NCIS’ / 2003 - Present / “The Bone Yard” 26th October 2004 / CBS / Belisarius Productions & Paramount Network Television / Terrence O’Hara
This scene in NCIS is one of the most laughable hacking scenes in the entirety of popular culture! It must be a deliberate attempt at a joke by the writers of NCIS – after all, there are many attempts by the writers to troll computer geeks and gamers throughout the franchise.
This well-known scene sees the series' Abby Sciuto and Timothy McGee perform an astounding four-hands keyboard duet as they attempt to stop the NCIS network from being completely overtaken by hackers.
Images and files flash open on the screen at lightning speed, as stealthy exfiltration was obviously not an option for these hackers. A futuristic (for 2004) IDS alert pops up on the screen but is obviously not advanced enough to help thwart the attack.
As Abby and McGee try to counter-attack the attackers, they attempt to “isolate the node and dump them on the other side of the router” and they talk briefly of “DOD level nine encryption” before DiNozzo quite rightly asks, “What is that, a video game?”
Finally, after 40 seconds of complete Hollywood fiction hacking, Gibbs saves them by pulling the PC's power cord, ending the attack... If only it were that straightforward in real life! Not a moment too soon either, as it's thought that the malicious actors were using three mice each, far overpowering the capabilities of Abby and McGee.
Live Free or Die Hard
Sean Wright, Lead Application Security SME
‘Live Free or Die Hard’ (released as 'Die Hard 4.0' outside North America) / 2007 / Twentieth Century Fox / Cheyenne Enterprises, Dune Entertainment & Ingenious Film Partners / Len Wiseman
In this film villains perform cyberattacks on national infrastructure – something that’s definitely possible. We’ve seen such things happen in real life, such as when Stuxnet caused considerable damage to a nuclear facility in Iran. So while the general concept of performing these large scale cyberattacks is plausible, the scale of that which takes place in the movie is a bit far-fetched. In reality, we’d probably only see attacks on specific parts of infrastructure, whereas in the movie the villains attack multiple parts at once, including attacks on the power grid, stock market, natural gas facilities and transportation.
The so-called “hacker” scene in Die Hard 4 starts off well, showing a terminal using scp. scp (OpenSSH secure file copy). This real-world tool securely copies files from one system to another and is used daily by many. The scene then moves on to Matt using the pseudonym WAR10CK to have an instant messaging conversation with another hacker, F4RR3LL. Attackers do this all the time in real life, using pseudonyms for themselves that often replace characters with digits.
We then get a shot of the villain at his laptop in the back of a van. While this is technically possible, it’s unlikely that an attacker would attempt to hack someone while in a moving vehicle. The villain proceeds to type away on his keyboard and magically gains access to Matt’s system. In reality it really isn’t that simple. Gaining access to a system takes time and is definitely not achievable in mere seconds like the scene makes out. The final nail in the coffin for this part is the IP address of Matt’s system, which is shown on the villain’s screen as he connects to it. 172.16.55.103 is a private IP address, which means that the attack would have to be on Matt’s network in order to connect to his system. Wrong again.
Once the villain has uploaded the virus to Matt’s system, his screen starts to malfunction, which certainly doesn’t happen in real life either.
Finally, the whole purpose of uploading the virus is to turn the victim’s PC into a bomb. While viruses can and do cause a lot of damage to PCs, in reality they are far less dramatic than the scene suggests and certainly cannot turn PCs into bombs!
The Social Network
Alex Seymour, Senior Content Engineer
‘The Social Network’ / 2010 / Sony Pictures / Columbia Pictures / David Fincher
All in all this scene seems fairly accurate. There's none of the typical "just say IT things and it'll sound right" that a lot of films and TV shows seem to subscribe to.
There's only a couple of minor slip ups here. Firstly, when Mark's downloading the photos from Kirkland, he uses "a little wget magic". What he actually enters is wget -A.jpg. That's not going to do much – or actually, anything. A.jpg isn't a flag for wget and that's not how you specify a filename to download. It's certainly not how you recursively download hundreds of files. It's also completely lacking the IP address or domain to download the files from – magic indeed.
The second slip up is still pretty minor: emacs doesn't work on his machine. If you watch closely, whenever he tries to launch emacs from the command line he just gets a FontStruct error.
We catch a glimpse of a Perl script he uses to download photos from Leverett. Examining the code, the whole thing looks pretty legit. On a side note, he says that Dunst's search "redirects to a PHP or something"; it doesn't go any further than that, but that sounds like a potential LFI vector.
Kev Breen, Director of Cyber Threat Research
‘Swordfish’ / 2001 / Warner Brothers. Pictures / Village Roadshow Pictures & Silver Pictures / Dominic Sena
In one of the first so-called “hacking” scenes in Swordfish, Stan is asked to hack into a DOD database with 128-bit encryption. Gabriel asks if he would do this by "sliding in a trojan horse hiding a worm".
As Gabriel spins the laptop around, we are presented with a login page for the DOD. In this kind of attack, you're typically going to look at a noisy brute force or possible SQL Injection, as this is supposedly a database.
Up until now, it was almost plausible, but switching back to Stan’s view with a gun to his head and a… well it’s all a bit NSFW here… we get some close ups of his screen.
Ignoring the fact that he is typing quicker than words are appearing, the text on the screen is total gibberish. To someone unfamiliar with the process, these may look like technical words – and to be fair some of them could be – however everything on the screen is out of context or has no actual function associated with it, effectively making it meaningless. My screen can fit a few hundred lines of code, not just 20 very large words and six impossible IP addresses.
We have referenced the following films for the purposes of reviewing and critiquing:
- ‘Jurassic Park’ / 1993 / Universal Pictures / Amblin Entertainment / Steven Spielberg
- ‘Mr Robot’ / 2015 - 2019/ "eps2.3logic-b0mb.hc" 3rd August 2016 / USA Network / Universal Cable Productions / Sam Esmail
- ‘Hackers’ / 1995 / MGM/UA Distribution Co. / United Artists / Iain Softley
- ‘NCIS’ / 2003 - Present / “The Bone Yard” 26th October 2004 / CBS / Belisarius Productions & Paramount Network Television / Terrence O’Hara
- ‘Live Free or Die Hard’ (released as 'Die Hard 4.0' outside North America) / 2007 / Twentieth Century Fox / Cheyenne Enterprises, Dune Entertainment & Ingenious Film Partners / Len Wiseman
- ‘The Social Network’ / 2010 / Sony Pictures / Columbia Pictures / David Fincher
- ‘Swordfish’ / 2001 / Warner Brothers. Pictures / Village Roadshow Pictures & Silver Pictures / Dominic Sena
23 July 2020
From decisions to decryption – live the Garmin ransomware attack with Immersive Labs
6 August 2020
Cyber preparedness lessons from the trenches
30 July 2020
Build capabilities, not just plans
29 July 2020
Most organizations now expect to be hacked, so why is incident response being neglected?
28 July 2020
Hacking in Hollywood: our experts review
23 July 2020