Man, I love hacker movies. I imagine this is how police detectives feel when they watch CSI: Miami, or lawyers when they watch Suits.
They're dumb. Really dumb. And they're nowhere close to accurate in their portrayal of what real hacking is actually like.
But who can blame TV shows and movies for making us thinking hackers are like cyber-ninjas? Real-life hacking is largely comprised of staring at a screen for hours on end reviewing code, performing scans, getting coffee while you wait for said scan, reviewing the scan results and processing reports...oh, and did I mention waiting?
Yeah, it gets old pretty fast.
That isn't to say real-life security work is outright boring, but you have to remember that it's like most any 9-to-5 job with exciting and dull moments. And it's also important to remember that there's far more to cybersecurity than just hacking.Cybersecurity comprises a whole laundry list of disciplines and specialities that go way beyond what most 'hacking' scenes show in movies.
And now onto the main event: which movies are the best examples of hacking in film and TV, and which ones are the worst? And more importantly, what makes them so good or bad? It's time for our first contender:
This film shows off a hacking technique that isn't talked about or depicted in media very much, and yet is incredibly effective: fake email. Rihanna's character Nine Ball uses a technique called 'spear phishing' which involves sending a very specifically targeted email to the victim to get them to click and inadvertently install malware.
In this case, she researched her target's online behaviour and interests—not very different from plain ol' stalking—and found from his Facebook page that he loved dogs. She created a realistic-looking webpage for a dog-lovers' club and sent him an email with pictures and links to the site.
The target, unbeknownst to him, was clicking on a malware that gave her access to his computer, allowing her to remotely control and collect information from it.
The interesting thing about spear phishing attacks is that they don't really involve a whole lot of complicated tech know-how. This technique relies far more on unearthing certain habits or behaviours of a user and exploiting them by making them click on unsafe links or downloads.
This scene also exposes the single weakest link in any cybersecurity infrastructure: human error.
This one's just straight-up a meme at this point. Where to even begin? There's random stuff constantly flashing on screen so fast it would be impossible to even remotely understand what's happening.
Couple that with nonsensical word soup like 'DoD-level encryption' or 'point attack', and you have yourself a scene that's trying to sound complicated and highly technical without being either.
First of all, getting hacked doesn't result in a chaotic jumble of UI elements cluttering your screen. The whole point of hacking is to breach or compromise a system as quietly as possible so you get the information you need without immediately alerting the target. If you were breaking into someone's house, you wouldn't purposely trip all their alarms just 'overwhelm' them...right?
Second of all, two people typing on the same keyboard? I get that it's supposed to convey urgency, but there's no conceivable situation where it would be more efficient.
And finally, the icing on the cake: unplugging the monitor to stop the hacker in their tracks. I think I'll leave you to figure out what's wrong with that one.
This one has a really interesting story behind it. In this scene, Trinity is seen using Nmap, an open-source network scanning tool that's regularly used by real hackers. She's attempting to attack a Secure Shell (SSH) service by exploiting a specific vulnerability that actually existed.
The SSH CRC-32 bug is a buffer overflow in a chunk of code designed to guard against cryptographic attacks on SSH version one. If the exploit goes through, it can give the attacker full access to the vulnerable machine.
But that's not even the crazy part: this vulnerability was discovered literally a month before the movie began filming. This vulnerability was discovered as the film was being written and pre-production was underway, which means they likely altered this particular scene to feature the latest cybersecurity exploit found at the time. Cool, huh?
In fact, the exploit was so scarily accurate that it prompted security experts in Scotland Yard's Computer Crime unit to warn film fans not to try and emulate the hack shown in the film. Now that's how you get real hacker street cred.
In case you're wondering, yelling "Hack, hack, hack!" at your security engineer isn't going to make the process go any faster.
But that's exactly what the eponymous Richard Castle does in season 8, episode 8 of Castle. In this scene, a hacker is trying to access the NYPD's database, while the police are trying to prevent the attack.
The screen conveniently displays what percentage of the firewall has been breached, and there's plenty of user-friendly UI that shows exactly how quickly the hacker is "burning through the firewall".
Unfortunately for the writers of the show, that's not really how firewalls, or any security protocol works at all. There's no way of clearly defining how much progress you've made in breaching an application.
If there's one thing any security engineer knows, it's that friendly UI is not something you'll see in real-world security tools. And you're definitely not going to see massive screens displaying the image of nuclear missiles with a button saying 'LAUNCH' which will unleash cybernukes on your attacker's system.
Among all the films and TV shows listed here, Mr. Robot features some of the most realistic and sophisticated hacking methods without sacrificing drama and intrigue.
The reason for that is Kor Adana, writer and technology producer of the show, and his highly painstaking and involved process of research, brainstorming, and some clever writing that always keeps the hacking grounded. Having a background in cybersecurity, Adana works with a team of hackers to develop realistic and exciting storylines for the show.
In one specific case, the protagonist Elliot Anderson had to hack the FBI to get information about a company they're investigating. For a lone actor with no real inroads into a highly sophisticated and secure organisation like the FBI, this would seem to be a near impossible task.
However, not all of the FBI's networks are classified, and agents are also given standard-issue phones. With the help of ex-FBI consultants, they formulated a scenario where Elliot would use a custom exploit to breach and steal data from FBI agents' Android phones while they were on an investigation.
The show treads the fine line between dramatic fiction and grounded realism by finding clever ways to solve problems that could otherwise have been carelessly explained away with some technical mumbo-jumbo.
This one honestly just gave me a good laugh. It's not so much an example of bad cybersecurity as it is a lack of imagination.
In this scene, the Commander asks a crew member how a 'data core audit' was going. They reply with this: "The probe used multiple SQL injections, but I've yet to find any compromised files."
Yep. A Federation spacecraft in the 23rd century is apparently vulnerable to one of the most basic and common security vulnerabilities today. You heard it here first, people.
If you didn't already know, an SQL injection is an attack where malicious SQL (Structured Query Language) statements are inserted into an entry field for execution. In fact, the first time people actually started talking about SQL injections was way back in 1998.
As of 2021, injection attacks—and particularly SQL injections—rank at the very top of the OWASP Top 10, a list of the most critical and commonly found security vulnerabilities among applications and networks the world over.
Clearly, the writers of Star Trek: Discovery were banking on viewers not knowing what an SQL injection is so they didn't have to come up with a more plausible-sounding security attack that actually made sense for a world set over 200 years in the future.
While these are my 6 favourite examples of good and bad cybersecurity in movies and TV, there's many, many more out there that I couldn't even hope to begin to cover. But what are some of the best and worst hacking scenes you've watched in a movie?
Making fun of bad movies is easy, but it's even more fun when you can explain exactly why they're so bad. That's why you should check out AppSecEngineer's suite of courses and hands-on labs where you learn everything from cloud security to DevSecOps to Kubernetes security. You can take our no-strings-attached 14-day free trial right here.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.