Who doesn’t love a good movie! But watching a Hollywood Blockbuster can be wince-inducing at times for anyone who works in cybersecurity whenever filmmakers attempt to portray hackers and hacking. Filmmakers are often unfamiliar with the intricacies of information security, or else willing to deliberately subvert accuracy in the name of entertainment. Realism in the portrayal of hacking is sacrificed either through simple unfamiliarity or the need to present more accessible and dramatic alternatives of reality to engage and thrill audiences. Hollywood isn’t a fan of strict adherence to plausibility if it gets in the way of a rollicking good time or under-delivers in body count or explosions per minute.
In this blog post we take a step back from some of our more serious and informational content and dive instead into the world of entertainment, taking a light-hearted look at some of the most common tropes found in movie portrayals of hacking.
Villains in movies are always a little “larger than life,” assigned exaggerated traits by Hollywood producers determined to turn everything up to 11. This is never truer than with movie hackers, frequently portrayed as not just socially awkward, but fully pants-on-head cartoon-bonkers, the modern equivalent of the Mad Scientist. Often sporting the hacker equivalent of some variant of “Einstein Hair” and driven by inner daemons to work outside of the mainstream tech community, they refuse to be needlessly constrained by society’s petty morals and stifling conformity.
At the very least severely eccentric, but more typically mentally unsound, movie hacker motivations are morally abhorrent and often flat-out deranged: Bond villains with super-user access and fast typing skills. Speed 2’s Willem Dafoe is a perfect example: a computer-literate villain with wild hair, boggly eyes and manic expressions, and who enjoys attaching blood-sucking leeches to his body.
People are well aware that movies are prone to exaggeration and hamminess, but the idea that hackers in the real world really are if not completely insane then at least mentally unsound or extremely atypical has nevertheless stuck and resonated. Hackers are commonly believed to have higher degrees of Asperger’s Syndrome in particular, a condition characterized by dysfunctional social skills, lack of empathy, communication difficulties, and obsessive interests.
But is this true? Certainly, there have been several high-profile cases in the news of hackers that claim to have or are believed to suffer from the syndrome, including Gary McKinnon (accused of hacking into US military computers) and Lauri Love (accused of a series of hacks of US agencies including the Federal Bureau of Investigation, the U.S. army, the Missile Defense Agency, and the Federal Reserve).
However, a large study conducted by teams distributing eight-page surveys at Black Hat and Defcon conferences among others failed to find any significant difference between self-labelled hackers and the wider community of those working in technical careers such as science, mathematics, and computing.
Hackers in movies are almost always motivated by a burning and all-consuming desire for revenge against a specific person or organisation, seen as avengement and payback for some real or imagined past injustice or persecution committed against them. This focus is exclusive and their commitment absolute.
Movie villains that fit this mold include Timothy Oliphants “Gabriel” in Live Free or Die Hard as a former Defense Department analyst who leads a group of cyber-terrorists systematically shutting down the entire U.S. infrastructure, and Speed 2’s Willem Dafoe playing a wronged former employee of a cruise company who hacks into the ship’s computer system. There is never even a consideration of other targets detracting from this focus, and hacking is often simply the most viable form of revenge available to the antagonist.
In the real world, hacking is a little more nuanced, and motivations vary wildly between groups and individuals. Vindictive or “revenge” hacks against specific organisations certainly do occur, from disgruntled former (or current) employees through to so-called “hacktivists” targeting specific businesses or governments whose political agenda or business operations they object to ideologically. At the level of nation-state actors operating sophisticated APTs (Advanced Persistent Threats) there is absolutely this element of narrow focus on specific goals and targets also.
However, perhaps the majority of threats facing most businesses come from opportunist hackers seizing upon a vulnerability first, then identifying and targeting systems across the internet almost irrespective of their operator, or as a secondary consideration only. Many hacking tools allow for the scanning by hackers of vast ranges of internet address space to identify hosts and services that may be vulnerable to a given weakness.
Research in 2021 based on surveys of (largely “white-hat”) hackers at least reported that ascribing motivations of revenge to hackers was simply not supported by the data collected.
No good hacking movie is complete without a hacker cutting holes in windows with laser tools, zip-lining down an elevator shaft, knocking out security guards with tranquilizer darts or wearing elaborate disguises to infiltrate a building and plant some kind of bug or hack a mainframe computer. Movie hackers wear black turtlenecks, pack guns and are handy with a carabiner.
In the real world, hacking is a little less dynamic and provides remarkably few opportunities for honing martial arts skills. Hackers rarely put themselves at risk on in direct harm and certainly have no need to carry guns. Most hacking requires patience, skill, and technical ability, but delivered methodically via a computer terminal.
Even when attacking “air-gapped” targets with no direct internet/network access, hackers will look for ways to bridge that gap remotely rather than put themselves in harms way. Dutch certificate authority DigiNotar had security measures in place including the requirement for an employee to insert a physical key card into a computer kept in a heavily guarded room requiring biometric handprints, electronic door cards and sluice gates, in order to perform sensitive operations. However, DigiNotar was still hacked. Rather than taking a movie hacker approach, the attackers’ simple solution was just to wait for employees who tired of the security measures to simply leave their key cards permanent in place, undermining the security and allowing a remote hack to take place.
Hacking in movies takes minutes, at most. It’s often portrayed by filmmakers as a frantic exercise, with fast-paced electronic music, flashing graphics and countdown timers with deadlines in seconds rather than days, hours or even minutes. Perhaps the pinnacle of speed-hacking movie absurdity is Hugh Jackman in Swordfish, forced to hack a US Department of Defence computer in – quite literally – sixty seconds.
It doesn’t matter if the hacker in question has never even seen the target system before, is unfamiliar with its software or even its working principles and has access to no more specific tools than a keyboard and text console, a movie hacker will be able to compromise the system in seconds purely by typing very, very quickly.
This certainly makes for more compelling and engaging viewing for audiences than a portrayal of hacking more grounded in reality. Very few movies would benefit from seeing their intended 90-minute run-time stretched into a 12-hour epic featuring real-time footage of the hacker painstakingly researching their target or popping down to the launderette while their automated tools perform a UDP port scan of a system.
If a movie hacker does breach a system, then everyone knows about it straight away. Sometimes the hacker themselves immediately announces their presence, projecting animated rotating 3D skulls or laughing clowns onto monitors along with accompanying audio. And even if the hacker doesn’t themselves announce their presence, then the target system will immediately detect the breach and set off all manner of exciting visual and audio alarms to notify those being hacked. Klaxons sound, speakers blast automated “warning” messages and if you’re really lucky the lights go out and are replaced by spinning red strobe lamps of the type more commonly seen mounted to the roofs of fire engines. Not only will systems intuitively know that they’re being hacked, but they’ll provide indicators of the exact progress of the hack, such as a “downloading malware” progress bar. The baddie in Skyfall conveniently announces his system breach to good-guy techie Q with a classic red skull accompanied with mandatory witty riposte.
In reality, many if not most hacks simply go undetected for a considerable length of time. Detecting hacks is far from simple and picking out indicators of compromise from a torrent of recorded activity is no trivial task despite the use of dedicated tools such as SIEM (Security Incident and Event Management) systems and 24/7 SOCs (Security Operations Centres). Hackers take exhaustive steps not to announce their presence but to hide it, since an initial hack is often only a first foothold that they want to use in order to conduct further attacks deeper into an organisation’s network infrastructure: discovery would only hinder their ability to deliver on their ultimate objectives.
Estimates range as to how long a hack takes to detect on average, but the “dwell time” between initial breach and either detection or delivery of the ultimate goal by the hacker is generally in the range of months rather than seconds: various estimates place it as 56 days (M-Trends), 250 days (Sophos) or 287 days (IBM Data Breach Report). This may seem staggering, but it reflects both the patience and sophistication of hackers, as well as the difficulty in detecting attacks.
There’s a joke term in movie circles: that anything in movie sets is made of a chemical element known jokingly as “Explodium” and liable to burst into flames at the slightest provocation. Nothing says “you’ve been hacked” like a computer monitor violently popping sparks before the doors blow out from the server room followed by a plume of dense white smoke. Stuff Blows Up – and the noisier the better – regardless of any underlying logic or reason. In movieland, a successful hack will often trigger exciting pyrotechnical displays, circuit boards self-combusting if a host is compromised.
Of all the Hollywood hacking tropes this is of course the most obviously ludicrous and least reality-based of all in this list. But what has been a tried and tested formula since the days of console fires on the bridge of the starship Enterprise is too embedded as a principle for Hollywood to abandon now.
The reality is that the majority of hacking does not cause any direct physical harm. There are of course exceptions: many IoT (Internet of Things) devices act as controls for real-world devices and if hacked could be used to cause physical harm in a domestic or office environment. There are also fringe examples where machines can be hacked that operate industrial machinery and the potential for damage is even greater, such as the “Stuxnet” hack of Iranian nuclear processing plants. Yet the majority of hacks by far cause no change to the physical environment of the compromised host whatsoever.
We’ve already mentioned that movie hacking is immediately detected by an organisation. But what follows next is another Hollywood favourite: the Dueling Hackers, a head-to-head confrontation between the attackers and defenders, played out as a battle of wits and speed-typing skills. Often accompanied by cries of “he’s through the second firewall,” the success of the hack is determined only by whether the attacker or defender has the more impressive keyboard-mashing skills and can out-battle the other. An organisation’s only chance of defence relies upon their own pet hacker out-hacking the attacker in an epic battle of wits and keyboard-mashing as in James Bond outing SkyFall.
The reality is a little different. While organisations may have an Incident Response Plan to enact if a hack is detected, little or no activity is focused on directly and reactively engaging the hacker. Instead, the focus is on containment and recovery: disconnecting impacted systems from the network to break any network connections to the hacker and permitting forensic investigation, and then restoring service from a clean-slate “golden image.” It just isn’t exciting to watch. Preventing hacking is more about sound vulnerability management practices as a preventative control, detective controls to alert when indicators of compromise are detected, and corrective or compensating controls to restore service.
Any attempt to portray hacking realistically would be not only exceedingly slow-paced but would also likely be completely unfathomable to the majority of movie audiences. So instead of exploiting security flaws via a painstaking process of gradually finessing fuzzed inputs via a text console over the course of hours, movie hackers bypass authentication and security systems by guiding a miniature avatar of themselves through a fiery maze, dungeon, or other computer game. Hacking minigames come in a wide range of forms, from the use of a Dungeons and Dragons style RPG in 1997’s Mastermind, to flying over an isometric filesystem, Tron-style in Jurassic Park.
Hacking might be more popular if this was how it was done but thankfully that isn’t the case, and hacking requires significant technical skill in certainly developing exploits, if not always in deploying them and can be a laborious and exhaustive process. Some hackers disparagingly known as script kiddies simply execute or deploy exploits created by others, but at no point is anyone hacking their way through a virtual maze…
Hacking in movies is extremely simple for those privy to the mystical secrets of the art: hacking is quite literally the modern substitute for magic in the technology era, with hackers as modern-day wizards issuing mystical commands via their keyboard to subvert systems to their will. Defense against hackers is impossible because they simply possess unique skills and arcane knowledge that allows them to compromise any system that they turn their attention to.
Of course, the reality is somewhat different. Hacking relies on a solid technical understanding of computer and network protocols that can be learned by anyone, but hardly confers unlimited powers. Hackers can only exploit that which is vulnerable, and relies on organisations failing to prevent, detect or remediate vulnerabilities themselves before they can be exploited.
In movies, every single computer and piece of software is completely compatible and interoperable with every other system and hackers are able to compromise any system regardless of whether they have ever encountered it before. This is taken to its perhaps most absurd extreme in 1996’s Independence Day in which Jeff Goldblum’s character manages to write a completely custom computer virus on his laptop within a matter of hours, interfaces it with an alien fighter craft (presumably those must come with Wi-Fi or USB ports as standard) and uses it to disrupt the aliens’ shields’ by uploading it into the alien mothership’s operating system. It works, of course.
AppCheck can help you with providing assurance in your entire organisation’s security footprint, by detecting vulnerabilities and enabling organizations to remediate them before attackers are able to exploit them. AppCheck performs comprehensive checks for a massive range of web application and infrastructure vulnerabilities – including missing security patches, exposed network services and default or insecure authentication in place in infrastructure devices.
External vulnerability scanning secures the perimeter of your network from external threats, such as cyber criminals seeking to exploit or disrupt your internet facing infrastructure. Our state-of-the-art external vulnerability scanner can assist in strengthening and bolstering your external networks, which are most-prone to attack due to their ease of access.
The AppCheck Vulnerability Analysis Engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail, and proof of concept evidence through safe exploitation.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: firstname.lastname@example.org
No software to download or install.
Contact us or call us 0113 887 8380