Introduction
Before you start, how about getting the Hackers soundtrack playing as you read this? Get a bit of the Stereo MCs pumping… https://open.spotify.com/playlist/5uMdR4Mb3ZL2FYTNjs9nnD
How plausible are the hacks? We’ll ignore the dodgy CGI, IRC sessions, l33t speak and questionable acting in the quest to find what stacks up in the real world.
Robot videotape vault
Now, the amusing scene where a videotape library at a TV station is compromised and the two robots ‘fight’ over tapes is just plain silly, but we’ve done a similar-ish job in the past.
A client in the pharmaceutical sector had a robotic compound vault for storage of their drug compounds under research. With around 500,000 compounds stored in it, representing hundreds of millions of dollars’ worth of research, loss of the index would be catastrophic, so we were asked to determine if we could remotely break in to it. Short answer, we did and could have trashed the entire system. Fixes were quickly implemented and validated, ensuring the security of the compounds.
Building hacking
Early in the movie, a building management system is compromised. This is perhaps the most plausible scene in the movie. Whilst BMS was rare in the 90s, the systems that were around were often poorly secured.
Similarly, turning on the fire sprinklers in the school was partially plausible. Most sprinkler heads are triggered per head, rather than a widespread drenching as seen in the movie, but the principle is still valid.
Even today, we find complex BMS and connected building systems exposed in surprising ways. Probably the biggest area of concern for us is the long life and unsupported nature of the hardware, meaning that vulnerabilities are rarely fixed.
Hack the Gibson
At the core of the plot is the Gibson supercomputer. The CGI was laughable from a technical point of view, but supercomputer security is a very real thing.
Public research papers are hard to find, as those supercomputers are rarely found on the public internet and vulnerability disclosure programmes don’t often apply.
However, we’ve been asked to pen test a supercomputer in the past, at the time in the top 10 of most powerful supercomputers globally. The vendor did not permit any public disclosure, so we can’t say much, but we did find some interesting vulnerabilities. I guess the surprise for us was that these security flaws made it to production. Our client, the purchaser of said expensive supercomputer, was equally surprised!
Da Vinci virus capsizing ships
Despite the virus actually being a worm and only a distraction, it was intended to attack the Ellingson oil tanker fleet. This is implausible as there was insufficient satellite connectivity to vessels at the time, so vessels were effectively offline when at sea. Hence, triggering or recovering from an attack was almost impossible. Whilst sat phones were available, satellite data was incredibly slow and incredibly expensive, so was rarely used.
The virus was intended to cause capsizes by triggering ballast pumps. Whilst this is just about plausible today, we have had remote control of ballast pumps during some of our cruise ship pen testing exercises, this simply wasn’t the case in the 90s.
Ship ballasting is usually not fully automated. Some vessels have automated anti heeling systems, but that is only one part of ballast operations. Modern ballast water treatment rules also mean crews are often reluctant to leave systems in a state where seawater can be taken on without active control.
Ballasting is also slow. Even if you could interfere with controls, a sudden dramatic effect is unlikely. In most real situations a human would notice abnormal readings or vessel behaviour and stop the operation long before it became dangerous.
ATM hack
Everyone loves an ATM hack, getting it to spit cash out in a ‘jackpotting’ style, with a hat tip to the awesome, late Barnaby Jack. ATM cores were generally Windows PCs with some hardening.
Along the way we’ve also pen tested ATM dispensers, which are far more interesting, and custom devices running serial protocols.
Drilling the case and ‘spiking’ the serial lines inside can be a way to trigger the dispenser to cash out.
However, some of the ‘hacks’ are just as valid today as they were 30 years ago.
The low-tech stuff still works
For all the flashy visuals, the most believable parts of Hackers are also the least cinematic. They are the bits that barely register as “hacking” at all.
Dumpster diving
Pulling sensitive information from the bin has never really gone away. We still find passwords, network diagrams, badge templates, shipping labels, and internal paperwork disposed of without shredding. The attack surface is mundane and often dirty, but the impact is often real.
Social engineering
This is still one of the most effective techniques we see. Convincing someone to help you, override a process, or share access remains far easier than exploiting a technical vulnerability. The film perhaps exaggerates the confidence and speed, but the underlying idea is solid.
Demon dialling/war dialling
Automated scanning of phone numbers to find exposed, poorly secured modems feels dated, but the concept never disappeared. It simply evolved. Today it is exposed VPNs, remote access gateways, management interfaces, and forgotten services rather than modems answering a call at 3am.
Passwords
This might be the most accurate part of the film. Hopefully we’ve moved on from ‘god’, ‘secret’ and ‘love’,
But weak, predictable, and re-used passwords remain everywhere. We still see default credentials, reused secrets, shared accounts, and combinations that would not have looked out of place in 1995. Technology moved on. Human behaviour did not. This is particularly prevalent in OT networks, which were not often connected in the past, but have increasingly been.
So, how plausible was it?
Systems that were never designed to be exposed end up connected anyway. Long-lived infrastructure outlasts its security model. Organisations assume niche or expensive technology must be secure by default. Attackers chain together small, boring weaknesses rather than relying on a single brilliant exploit.
Thirty years on, that part feels uncomfortably familiar. Particularly familiar in OT environments that are often playing ‘catch up’ with IT networks where more time, effort, and money has been spent on their security.
The tools changed. The networks got faster. The screens got flatter.
The mistakes often stayed the same.
