Spoiler alert: Those who haven’t yet seen the film, but plan to, please skip to the summary.

Hollywood has tried to depict cyberwarfare and “hacking” many times. Hackers and The Net are just a couple of examples.

Blackhat, a Michael Mann directed film, debuted in wide theatrical release on January 16th. Chris Hemsworth plays Nicholas Hathaway, a man who was serving time in prison for some sort of computer related crime. Viola Davis plays FBI Agent Carol Barrett. Leehom Wang plays Captain Dawai Chen, an officer of China’s cyberwarfare unit. Wei Tang plays his sister, Lien Chen. Lien’s character is central to the movie, she helps with the investigation and (spoiler alert!) falls in love with Nicholas.

Computer Forensics Training – Resources (InfoSec)

Here’s a quick synopsis. A nuclear power plant in Chai Wan, Hong Kong is attacked with a remote access tool (RAT.) Through the RAT, the plant’s programmable logic controllers are tampered with, causing the coolant pumps to overheat and explode. People within a ten kilometer radius of the plant are evacuated.

Captain Dawai Chen has to find the culprit. He discovers, through his sister Lien and FBI Agent Carol Barrett, that the RAT contains code he wrote himself years ago, collaborating with Nicholas Hathaway. Nicholas was in prison, and Agent Barrett helped to release him, because of course, Nick’s help is crucial to the investigation.

Coincidentally, the Mercantile Trade Exchange in Chicago is attacked with the same RAT, and soy prices skyrocket. It’s a commodities trading disaster! That incident makes the Chinese and American officials willing to collaborate.

Our characters spend time in the US, travel to various locations in China, and eventually they travel to Malaysia and Indonesia as well. There’s lots of explosions, lots of super intense gunfire, one of the main characters is murdered while in his car, and of course, that explodes as well.

I went into the movie theater with very low expectations for the film’s technical accuracy. Actually, Hollywood has done much worse when it comes to depicting cyberwarfare and information security attacks in general. There were highlights and lowlights. First, I’ll explain what I think the film got right.

Accuracies

  • It was quite correct to state that a RAT can be used to wreak havoc, such as causing a nuclear disaster. And malware has attacked nuclear facilities before, such as when Stuxnet hit Iran.
  • Some of the GNU/Linux BASH shell commands were accurate. I saw a “sudo” here and there.
  • It’s possible for the Chicago Mercantile Exchange to be attacked through a RAT.
  • Yes, IPSes and firewalls are indeed network security devices. Kudos!
  • Correct usage of the right kind of proxy servers can make tracing a blackhat’s activity a lot more difficult.
  • What really impressed me was that at one point, someone filebound a keylogger to a PDF in order to acquire a password. The PDF was for the user to review their organization’s password policy when he was instructed to change his password. This was the very first time in American film and television that I’ve seen filebinding and software keylogging used properly, and the social engineering it may require to be successful.
  • In NCIS and Hackers, they make it seem like “hacking” requires ultra fast typing. Supposedly, the way to “hack” or defend against a “hack” is to type at 327 words per minute! The faster the typing, the more hackerific the hacking! I didn’t see any of that BS in Blackhat. Very good.

Now, here’s where Blackhat errs.

Inaccuracies

  • In the first scene that Chris Hemsworth’s Nicholas Hathaway appears in, he’s interrogated in prison about something he did. The interrogater says, “You used this to open a command line?” As if opening a command line on a machine is some super impressive, devious feat. Notice that he didn’t say “acquire root access.” Just “open a command line.” Groan…
  • Although this has nothing to do with information security, I noticed that Hong Kong and the Chinese cities in the movie were completely devoid of air pollution. Beijing and other Chinese cities are notorious for having horrific air quality, to the extent that it even interferes with landings and departures at Beijing’s international airport.
  • Absolutely all of the code displayed in the movie was hexidecimal. Or random combinations of letters and numbers, sometimes it was difficult to tell. I highly doubt that the coders in the movie work purely in assembly. Especially when they develop applications like RATs.
  • An NSA information security professional was extremely perplexed that his data center was penetrated, because they have firewalls and IPSes. Those things are bulletproof, don’t ya know?
  • Likewise, checking physical security amounted to verifying that the door to the server room was protected by a fingerprint scanner, and that’s it.
  • A monitoring device was put on Nick for his release. Fair enough. It was controlled by an Android app. One of the settings was for how frequently the app checked the geolocation of Nick’s monitoring device. Nick was able to grab the Android phone at one point and change its settings so that it checked his location a lot less frequently. Why would the backend of a convict’s monitoring device be so insecure, physically and otherwise?
  • Apparently, you can do a “whois” on both usernames and IP addresses. That’s news to me.
  • On a related note, once you’ve found an IP address, you’ve definitely got someone! It’s not like dynamic IP addresses and IP address spoofing exist, or anything like that. Also, that contradicts how the movie shows that proxy server use can make attackers more difficult to find.
  • In one scene, Nick and Lien eat at a Korean restaurant that’s somewhere in the United States. Hangul (Korean) characters can be seen here and there, but for some reason, there are Chinese characters to be seen as well. All that funny Asian writing is all the same, isn’t it? Anyway, at some point, Nick goes to the restaurant’s backroom, where there’s a PC with a couple of monitors. I could tell that Nick didn’t boot an OS from a USB stick or DVD. He didn’t use any external media, so he couldn’t have loaded applications from them either. A restaurant’s PC will typically have standard OS applications, financial software, and some sort of POS backend, without much else. I’d be surprised to find something like Wireshark or Nessus on a restaurant’s PC. Nonetheless, within mere seconds of acquiring physical access to the PC, Nick runs some pretty heavy duty network penetration tools.
  • Black Widow is a fictional Nessus/OpenVAS-like program. Or perhaps it’s something like Kali Linux. It’s a super secret tool that only the FBI is supposed to have access to! As if these sorts of things are only developed by and used by the FBI!
  • At one point, Nick and Lien are in the middle of a rural part of Malaysia. It’s really, really rural. There’s just a very tiny village there, and that’s it. Somehow, Lien is able to whip out her laptop and enjoy instant network connectivity. Maybe she’s using satellite technology, but that’s doubtful.
  • FBI Agent Carol Barrett assures her colleagues that the Chinese can be trusted because “they’ve been cooperative so far.” I’ve written about Chinese cyber attacks on the United States before. Such incidents have been very frequent, and very recent. The movie takes place in March 2015. There was Operation Aurora in late 2009 that targeted Google and Adobe. The Office of the National Counterintelligence Executive reported Chinese cyber attacks on American military servers to Congress in November 2011. Backdoors have been found in devices sold to the United States and manufactured by Huawei and ZTE, both of which are closely tied to the Chinese government. That’s just the tip of the iceberg. The FBI should be well aware that collaborating with the Chinese to investigate cyberwarfare is a bad idea. There are probably intelligence types who laughed while watching this movie.

Summary

It’s obvious to me that some effort was made to make Blackhat technically accurate. But clearly, there were still blunders.

As far as the American and Chinese collaboration in the film is concerned, I think that can be explained with three words: International box office. More and more, major Hollywood studios are relying on it to make movies that cost $70 to 150 million profitable. For instance, by Hollywood blockbuster standards, Pacific Rim didn’t do very well in the United States. But it ended up making a lot of money anyway, largely from Chinese moviegoers. Hollywood looks at China with dollar signs in her eyes. So, it was an absolute must that the Chinese government was depicted positively in the movie.

Compared to previous attempts, Blackhat is an improvement in how information security and computer technology is portrayed in fiction. But it’s only a minor improvement.