Nice Try, Quantico, But That’s Not How Hacking Works
The TV thriller Quantico, which centers around a group of FBI recruits and a terrorist attack at Grand Central Station in New York City, is a highly glamorized take on FBI life. So it’s not surprising that the series is a little confused about all things technical and frequently pushes the boundaries of what could possibly happen—even if you suspend your sense of disbelief. This week’s episode, “Over,” looks at what happens after a hacker breaks into the FBI’s servers and leaks all of its internal documents online. Here’s what Quantico got right—unfortunately, it wasn’t much—and some of its less plausible takes on how a hack of this scale would work.
Earlier in the season, FBI agent Alex Parrish, who’s the show’s main character, became the primary suspect for the attack at Grand Central Station. She’s on the run from the FBI—though she has people within the agency helping her with own DIY investigation into who really engineered the attack. In this episode, the FBI hack’s massive leak causes FBI Deputy Director Clayton Haas to panic about whether his personal email account will be hacked next, since this could reveal information about his extramarital affair with Shelby Wyatt. The IP address on a return receipt to his assistant would apparently link Clayton with Shelby at a night they spent together in a hotel, so tries to scrub any incriminating emails—including those on Shelby’s phone. The rest of the episode focuses on the leak and Parrish’s attempts to find out who’s really behind the attack and redeem her good name.
The FBI Hack
The hacker gained access to all the FBI data in this episode by guessing a single password. It was unclear what he was actually trying to access, but it’s likely that FBI agents would need to log into a VPN, or need some kind of second factor authentication, or a certificate, to log in. It’s also worth noting that accessing a web app or someone’s email isn’t the same as downloading and publishing tons of files.
“At that point they’d need to hack that system and get escalated privileges on the server so that they’re on to be able to look around and see what is there and then pivot to other servers to see what is on there. I just don’t think it’s as easy as guessing a password,” says Micah Lee, the Intercept’s lead security technologist.
Even if the hacker did somehow access all FBI data by guessing a single password, that doesn’t explain how the hacked data inexplicably flashed on the screens of every computer in the FBI headquarters, as well as a computer in a random house where Alex was hiding. “The show didn’t even really go into how [the data] was hosted, since hackers managed to magically dump data on all of the screens,” says Lee. “Was it on a website? On a torrent? Why were these documents suddenly flashing everywhere?” (We’re confused, too.)
Even if Alex had happened to log into some FBI-connected site in a free moment while at the house, it’s unlikely that the computer she borrowed would have enough memory to download vast troves of data—and downloading it all onto a USB drive would obviously take more than a few seconds.
Another improbable part of the scenario: in the show, the FBI doesn’t react that urgently to this incredibly severe security breach. “It would be one thing if an internal FBI file server got hacked and somebody downloaded all the data off it and was making it available on the internet. But it’s a totally different thing if all of the computers in the building were also hacked, including the clients people are typing their password into, and [if the hacker is] running some weird malware that opens some types of documents,” says Lee.
In the real world,the FBI would likely respond by demanding that anybody hosting copies of their classified files take them down. It would probably also launch raids or whatever was necessary to stop the distribution of this information.
One of the slightly more accurate plot lines in Quantico is actually a dramatic detail—that an FBI agent is trying to scrub his email to remove incriminating details of an affair. But the show doesn’t seem to understand that simply deleting an email doesn’t mean it’s unrecoverable.
“If you’re trying to destroy electronic communication because you don’t want your husband or wife or lover or whoever it is to discover it, that’s one thing. If you’re trying to hide it from the government or a law enforcement agency, that’s far more difficult,” says investigative reporter Jason Leopold. Many emails that disappeared between 2003 and 2005 when the Bush administration switched from Lotus Notes to Microsoft Outlook were recovered, recalls Leopold, who covered that story back in 2008. “Even with Hillary Clinton, they purged a number of emails that she claimed were personal, and even that was difficult because they were able to retrieve them,” he explains.
“I’ve had FBI and CIA officers actually email me from a Hotmail account [with] information that I cannot believe they actually emailed me,” Leopold says. Even though Haas is a high-ranking FBI official on the show, he acts like he doesn’t know web-based service providers typically keep backups for some time.
The Dark Web
As a bonus, we can’t help but mention that earlier in the season, there’s a scene where Parrish is talking to random hackers over a Tor chat interface that doesn’t actually exist. She invites them over, so two members of the hacker collective Unknown then come right to her and record a video about her innocence, which they broadcast live to millions of viewers. Needless to say, this depiction of Tor is nothing short of fantasy. Not only would people from the dark net not just show up in person, but the FBI would not be able to trace a live video broadcast over the Tor network after five minutes. “Tor does not work like that,” explains Lee, who points out that if the video was streamed over Tor on something like Ustream, the IP address would lead the FBI back to a Tor exit node, which wouldn’t give anything away about the location of who posted the video. “They don’t have the capability to deanonymize Tor traffic on demand.”
In short: Quantico isn’t the kind of show you should expect to have even a slightly grounded depiction of how hacking or cybersecurity works. But if you enjoy Scandal-style drama with an (unrealistically) technical flare, Quantico is worth watching for a good time.
Link to original: