Cybercrime in Hollywood: Why hacking is portrayed more accurately than you think
Our cloud security experts break down hacker scenes in movies and series released over the past 40 years
October 4, 2022
It’s a trope nearly as old as the movies themselves—hacking scenes are often the most dramatic, ridiculous, and can even border on unbelievable. After working in the security world, it made me wonder, could hackers really take control of a moving car? Or spy on you through the webcam on your laptop? How about shutting down a power grid?
You might assume movies and TV shows exaggerate hackers’ abilities for entertainment value—I know I did. But, it turns out Hollywood gets it right more often than you’d think. And even when they do miss the mark, it’s not always because they’re embellishing—the frightening reality is that hackers are more powerful today than many filmmakers and producers ever predicted.
Thankfully, not everyone is surprised at how far cybercriminals have come. To find out more, I turned to some of my favorite cybersecurity experts—two of Lacework Labs’ cloud security researchers Chris Hall and Greg Foss, who both consistently stay ahead of hackers and their techniques.
Chris, who worked in the US intelligence community for several years and founded a cyber intelligence company, and Greg, who ran a global security operations program and worked as a security analyst for the federal government, combined their unique security expertise to help me separate fact from fiction in these 10 scenes. We gave each a score from 1 to 5 (🔓🔓🔓🔓🔓), with 5 being the highest.
Jason Bourne (2016)
It can’t possibly be this easy to hack the CIA…right?
In this scene from Jason Bourne, we see former CIA analyst Nicky Parsons (played by Julia Stiles) breaking into the CIA’s server and downloading Black Ops files.
The defenders at the CIA headquarters detect the attempt right away when Alicia Vikander’s character notices a glitch in the packet count, which sends the team into a panic. However, Nicky is able to get the files she needs before they can do anything about it.
As it turns out, hacking the CIA isn’t this easy. Even if you’re an ex-employee, you probably can’t hack right into their network from your own computer.
“This type of data would normally be in a sensitive compartmented information facility (SCIF) off network,” Greg said. It would be unlikely for someone to be able to hack into the server unless they were using a device already on SIPRNet, which is the network used by the Department of Defense and State Department to transmit and store classified information.
“In the beginning, we saw a file on the computer named ‘Black Ops.’ That’s like having a file on your desktop called ‘Passwords,’’’ Chris said.
Chris, who worked in the US intelligence community for several years, explained that instead of having one folder with all of that important data, the information would more likely be compartmentalized. Very few people in the agency would be able to view all of the operations like was shown in this scene.
“The fact that they could trace and attack within 30 seconds, that wouldn’t happen,” Chris said. If the hackers were using their home computer without obfuscating where they’re coming from, they might be able to isolate their location, but it’s doubtful that any hackers wouldn’t use a VPN.
The clip also shows the team accessing several IP addresses in just a few seconds—is that realistic?
Greg explained, “They would probably have to subpoena each one of those for access. It would be a months-long process for them to even build that trail, if at all possible, assuming all those places have logs and retain data.”
Shutting down the power is also far-fetched. If it was a facility they owned, it could happen. But if it’s not their facility, and they don’t have malware already on it, it’s not very likely.
Sneakers is about a group of hackers who steal a “black box” decoder that exploits a flaw in the encryption algorithm, which means the box has the power to crack any encryption code in the world.
This scene shows the hacker group using the black box to crack three major systems in less than a minute, including the US power distribution grid and air traffic control system.
You can see the group realizing the gravity of what they’ve discovered toward the end of the scene as River Phoenix’s character says “So it’s a code breaker,” to which Robert Redford responds, “No, it’s the code breaker.”
So could this sort of code breaker really exist? Today, the intelligence community investigates these open algorithms for years to make sure there’s no way to exploit them. And this won’t change until we get a monumental leap in computing power.
In the future, if someone used powerful technology like a quantum computer, they might be able to crack a complex key quickly like we see here. But with the technology they’re showing from 30 years ago, it’s not realistic.
Although hackers couldn’t crack a complex key in one minute, they could access the systems that they’re showing here—and they could do that without any state-of-the-art technology or hacks.
“These systems are actually a lot more accessible and open now than they made it seem here. Nowadays, people can use Shodan to find industrial control systems and all sorts of things that are just open on the internet,” Greg said. “It’s actually worse than what they show here, especially now. Back in the 90s, there wasn’t as much on the internet, but now, everything is connected.
Shodan is a search engine that both security researchers and hackers use to find open and vulnerable devices on the internet.
For example, at the Black Hat conference in 2017, two security researchers explained how easy it was for them to hack a car wash and exploit it to physically attack anyone who enters it. They found a car wash connected to the internet, used a default password to log in, and then were able to control the machinery and shut down the safety systems.
“It’s the same with the cloud,” Chris added. “Misconfigurations or forgetting to change default credentials are some of the biggest access points for hackers.”
So while this scene was not technically realistic in their scenario, it’s terrifyingly more realistic now.
The Fate of the Furious (2017)
I was hesitant to show Chris and Greg this clip of a cyberterrorist hacking into cars in New York City—I thought they would immediately laugh at its ridiculousness. So I was shocked when they told me something similar could happen… and it actually did.
In 2015, two security researchers remotely hacked a Jeep and took over the car brakes and accelerator as it was moving at 70 mph.
While it’s possible to hack one car, hackers probably wouldn’t be able to take over all of the cars in a major city, as suggested in this scene.
The researchers who took over the Jeep found a vulnerability in a specific service—the car’s Uconnect system—which was connected to the vehicle and allowed them to control its components.
“The first part where they were zooming in from orbit and then somehow able to see inside the vehicle from space was unrealistic. This technology might exist, but if so, it’s highly classified and probably not accessible to cyber terrorists,” Chris said.
This was a recurring theme in all 10 of the clips we watched. Filmmakers create a visualization to explain a concept and make it look much more interesting than it actually is. While in reality, it’s very different… and super boring. Hacking a car looks more like code in a terminal.
We finally have a real(ish) scene! Weirdly enough, it’s crammed into a movie where Chris Hemsworth spends most of the time in shoot-outs and car chases.
Greg actually went to see this movie with fellow cyber-expert coworkers. They made fun of most parts of the movie—but not this scene, which shows a classic phishing attack.
“A PDF is a common way to deploy malware, especially at that time in 2015,” Greg said.
Usually, a phishing attack victim would quickly see a command prompt to give away that something happened. The keylogger component, which tracks each key pressed on a keyboard, would be trickier to execute than the way they show it here. But it’s definitely plausible.
“A common thread in a lot of movies is that they show a visualization of the attack, like a ‘pew pew’ map,” Chris said. “Realistically, it would just be a terminal with a bunch of text. But these maps are better to look at than a terminal.”
Kaspersky’s real-time threat map, an example of a “pew pew” map, visualizes data to enable viewers to see different cybersecurity threat types around the world. Source: https://cybermap.kaspersky.com/
“That’s why Cobalt Strike was created, so you can have a ‘pew pew’ map of the systems you’re compromising,” Greg added. Cobalt Strike is a command-and-control tool that people use to test security companies, but hackers buy it too and use it to actually break into companies.
The Net (1995)
The 1995 movie The Net shows computer analyst Angela Bennett (Sandra Bullock) writing a patch to disable a virus—while also ordering pizza online. While this is the norm in 2022, it was an innovative feature when this movie was released. The Net director actually came up with this scene to demonstrate how Angela prefers to spend her time online and avoid talking to people, which is a key point in this movie when she struggles to find someone who knows her after her identity is completely erased by cybercriminals.
“I’m very pleased that our practical approach ended up being exactly what you see now when you order a pizza online,” Harold Mann, one of the movie’s technical consultants, said in a 2020 interview.
Speaking of pizza—Greg once had the chance to be a pizza hacker too. A few years ago, he visited a pizza place’s website to order delivery, and found that the ordering page for his local shop was combined with several other neighborhoods.
“I accidentally logged into one of the other neighborhoods, but my credentials worked. I went to check my account to order a pizza, and it was someone else’s info that was populated, including their credit card information,” Greg said.
He went back and checked the other locations and found that he was authenticated to each one, and could see other people’s credit card info. But instead of taking advantage of the vulnerability, he told the company about it.
“After I saw that, I went into my account and removed all of my info and reported it to the store, but I never heard anything back,” he said.
This is a prime example of a time when a responsible disclosure policy would have been helpful, which is a process set up by an organization to enable security researchers to safely and consistently report vulnerabilities they find on that organization’s website, app, etc.
When businesses have these policies in place, security researchers and analysts, ethical hackers, and others who discover flaws know exactly how and where to report them.
Greg felt a responsibility to report his discovery, just like The Net’s Angela made it her mission to expose the group of cyberterrorists attempting to take over the country while she also tried to get her identity back.
The Matrix Reloaded (2003)
“If you can hack the matrix, you can definitely run nmap,” Chris said.
Nmap—short for “network mapper”—is an open source network scanner used to check for vulnerabilities. In The Matrix Reloaded, they essentially have hacked into reality to begin with by plugging themselves into the matrix.
If these hackers were able to control those OT systems, it could happen. The nmap scene shown here actually uses real commands.
But why would a sci-fi dystopian movie include a real tool in a movie that’s otherwise totally fictional?
Gordon “Fyodor” Lyon, the creator of nmap, was thrilled to see his tool featured in the movie. That could be exactly why The Matrix creators decided to include it—to impress cyber experts and generate buzz in their networks. If that was their goal, it definitely worked, because I found dozens of articles and Reddit posts calling out the use of nmap in the movie, even years after it was released.
Mr. Robot (2019)
Mr. Robot—a series highlighting a cybersecurity engineer/hacker named Elliot who is tasked with taking down corporate America—features many realistic hacking and cybersecurity scenes.
Greg and Chris agreed that this scene was the most realistic clip out of all 10 that we watched.
“Mr. Robot does a good job of showing different technical tactics in addition to the human social networking part of it,” Chris said. “Hacking smart TVs is definitely doable, in fact, much easier to hack than traditional cable. You could project via chromecast or related screen mirroring software. There are a lot of possibilities when you’re connected to the same local network as the smart TV.”
The phone portion of the clip was also realistic where Elliot got the multi-factor authentication (MFA) code from the phone and then used it on his own computer to log into someone else’s account.
MFA adds an extra layer of protection in addition to a username/password. In 2019, Microsoft reported that MFA prevents 99.9 percent of attacks on your accounts; however, as technology advances, so do attackers. A more recent report from security advisory firm Mitiga says that we can no longer rely on MFA as the main line of defense against identity attacks because attackers recently found a loophole where they don’t need an MFA code a second time if the session was previously authorized.
As we see here in Mr. Robot, it’s also possible for attackers who have access to someone’s physical device to easily obtain the MFA code. If that person also has your username and password, they’ll be able to get right into your account.
Ocean’s 8 (2018)
Could someone access your webcam by clicking a link like in this scene from Ocean’s 8? Kind of.
“If you click a link and then download an executable file, or if it was an office doc with macros, it’s possible,” Chris said. “But just clicking something and then having control of the victim’s webcam is not likely.”
Web browser exploits exist, but when hackers find them, it’s popular to sell them instead of using them.
“The people who find those kinds of exploits are often more interested in selling the exploit, whether that be to intelligence services or submitting them to hacking competitions for significant payouts. That said, for a high-value target, a nation-state-level adversary may employ a similar capability.”
In 2017, an exploit acquisition platform called Zerodium was offering $1 million for zero-day browser exploits. This tweet highlights the recent $8 million sale of a fully remote one-click exploit kit for iOS and Android, possibly to a government agency.
This clip also shows the hacker using a device to get into the computer, which probably wouldn’t happen. It could be a brute force tool, but realistically someone would find the password in a file on their desktop instead of using a hardware device to do it.
WarGames, a 1983 science fiction thriller, is about a high school student (Matthew Broderick), who accidentally hacks a military supercomputer.
This scene shows him using an acoustic coupler, which was a device that connected phone lines with computers to send and receive data, to break into the school’s network and change his grades. This could happen, and it’s happened before. Many schools notoriously have poor cybersecurity.
“War dialing was relatively common in phreaking groups back then,” Greg said. Phreakers are hackers who specialize in phone hacks, and war dialing is a technique hackers use to automatically dial many phone numbers until they connect with a modem. Once they connect to an actual computer, they can attempt to log in.
At first, I thought this scene made hacking a school’s system look way too easy. But we have to remember that this movie was made nearly 40 years ago, at a time when people had no idea what computers could really do and this kind of event was so unexpected that it actually worked.
“We’ve only got two of the blinky boxes left to go…just hack! Hack!”
This clip from the ABC series Castle is so off-base I nearly took it off the list. Chris and Greg were almost speechless after they saw it.
This really exemplifies how ridiculous some cyber scenes can be. It’s the type of scene that comes to my mind whenever I think about hackers in TV shows—completely exaggerated, nonsensical portrayals. A quick Google search for “cybersecurity in Hollywood” shows me that a lot of other people feel the same. The first few results I saw were articles about misleading cybersecurity lessons from pop culture and why Hollywood movies make cyber experts cringe,
But as I learned from Greg and Chris, most scenes aren’t as crazy as I originally thought… NOT including this one.
While it would be convenient to see “Hack: located” on your screen when you’re trying to resolve an issue, the only thing realistic about this clip is that hackers actually do trash talk each other while they’re hacking.
In addition to the obvious crazy parts of the scene, “multiple layers of firewalls and tracing and knowing their trace too, none of that happens,” Greg said.
Our list needed a loser, and it looks like we saved the worst for last.
Did Hollywood get it right?
Next time you’re watching a hacking scene and wondering whether it’s realistic, remember two things: (1) Hollywood overemphasizes many cybersecurity scenes to make movies and TV shows more interesting for the viewers, and (2) cybercriminals have come a long way since they first began appearing in movies. They have the technical skills and the technology to do things we thought were impossible not too long ago.
Mr. Robot was our winner, most accurately showing smart TV and phone hacks as they would happen today, and the loser was Castle, which was so silly that the producers might have intended it to be that way. Or they thought that cybercriminals spend their time spamming people with cat videos.
Aside from the clear best and worst videos we watched, there were a lot of movies that fell in the middle of our scale. They showed some realistic parts, or at least realistic for the time. When I showed Chris and Greg certain scenes—like the hackers taking over the car—I was expecting them to laugh and say “no way,” so I was truly surprised to hear how many of these hacks were not only possible, but in some cases, they were old news. Before talking to them, I thought that Hollywood absurdly exaggerated ALL cyber scenes. Now I know not to assume that everything I see is so crazy—or at least to ask our experts before speculating.
While Hollywood doesn’t always show things in the most technically accurate ways, Chris and Greg are always digging for the truth. Follow their work and the rest of Lacework Labs on Twitter, LinkedIn, and Youtube.