Oleksii - stock.adobe.com

Too many secrets: What can today’s cyber teams learn from a 30-year-old film?

Despite being 30 years old, Sneakers remains a classic hacker film. The technology may have dated, but the underlying themes remain relevant and remind us about the threats lurking online

“The world isn’t run by weapons any more, or energy, or money. It’s run by little ones and zeros, little bits of data,” says Ben Kingsley as Cosmo in the film Sneakers.

Directed by Phil Alden Robinson and co-written by Robinson, Lawrence Lasker and Walter F Parkes, Sneakers was released in 1992, although its development began a decade earlier. It was during the development of a previous film, WarGames, that Lasker and Parkes learned of the existence of “sneakers” – teams of hackers, phreakers (exploiters of telecommunication systems) and ex-law enforcement agents, hired to break into secure facilities and top-secret installations.

The film Sneakers follows Martin Bishop (Robert Redford) as he leads a team of security experts specialising in testing security systems. When rogue government agents blackmail Bishop into stealing a black box from a top-secret project called Setec Astronomy, Whistler (David Strathairn) discovers that it has the capability to break encryption systems. Framed for the murder of Setec Astronomy’s inventor, Bishop and his team are on the run and need to retrieve the black box from the blackmailers before it is too late.

Although the film has aged technologically, with its chunky desktop PCs and reliance on corded landline telephones, the concerns it raises about privacy and security, such as the threats to encryption from new technology, remain pertinent. There are also plenty of references to hackers and their culture. For example, the character of Whistler, who is blind, was inspired by the early phreaker Joe Engrassia (aka Joybubbles).

“Sneakers is a great, fictional example of what happens with encryption backdoors or vulnerabilities,” says network architecture consultant Chris Clemson. “Everyone wants them and they don’t stay secret for ever.”

A work of fiction with an accurate representation of security

One of the reasons Sneakers is so accurate is that Robinson interviewed a variety of technical experts to ensure the film’s verisimilitude. Len Adleman, who co-invented the RSA encryption algorithm, created the mathematical formulae for the presentation given by Gunter Janek (Donal Logue) in the film. Meanwhile, Robert Abbott, who designed the first time-sharing operating system for the Control Data Corporation CDC-6600, acted as a technical consultant throughout the film.

Bishop’s team of sneakers are in many ways the equivalent of modern-day penetration testers, who assess the security of corporate and government networks against potential vulnerabilities by attempting to breach those networks. As Sneakers was filmed before the internet became so pervasive, rather than attacking a corporate network, Bishop’s team break into buildings and report their findings.

It is interesting to note how Carl (River Phoenix) is caught by Bishop’s team hacking into his school’s network to change his grades. Rather than having Carl arrested, they recruit him into the team. This mirrors how some modern-day security organisations operate, by recruiting hackers they encounter, allowing them to benefit from channelling their technical skills.

One of the main plot threads in Sneakers is Bishop and his team’s discovery of exactly what Setec Astronomy is. The film portrays Setec Astronomy’s black box as being able to instantly decode encryption, effectively rendering the technology obsolete. “The numbers are so unbelievably big, that all the computers in the world could not break then down,” explains Janek in Sneakers. “But maybe, just maybe, there’s a shortcut…”

Setec Astronomy’s black box is, in many ways, analogous with quantum computing. The computational power of quantum computers will far outstrip that of today’s most powerful computers, which means they can break encryption far more quickly than conventional computers. Therefore, just as in Sneakers with the Setec Astronomy black box, whoever is the first to develop a viable quantum computing system may be able to bypass encrypted security.

Business sectors that deal in confidential or sensitive information – such as defence, financial medical and medical institutions – are already considering the impact that quantum computers could have on current encryption protocols and how that would influence their operations. While there has been a push for greater adoption of two-factor authentication (2FA), or air-gapping for high-security applications, some are exploring the efficacy of post-quantum encryption algorithms.

The fallibility of information security is reinforced in Sneakers when a character profile is created from just a single piece of information. Starting with a car licence plate, they identify the driver as Werner Brandes (Stephen Tobolowsky) and obtain his address by hacking into the Department of Motor Vehicles (DMV). From there, they are able to acquire his rubbish, allowing them to read letters and fabricate a meeting with him. This sequence highlights the dangers posed by sensitive information, both physical and electronic copies, if information is not properly disposed of and destroyed.

There is no such thing as absolute security

Just as in real life, Sneakers portrays humans as a weak point in an organisation’s security, because of their susceptibility to social engineering. The security guard where Janek works is deliberately distracted to allow Bishop to enter without a security card, while Brandes has his security card stolen and is tricked into sharing biometric data.

Sneakers also demonstrates how biometrics are not as infallible as they might appear. Using a high-quality recording of Brandes’ voice, Bishop is able to spoof a voice-print identifier. There is still a danger of an over-reliance on modern-day biometrics. They are marketed as an ideal security methodology, as the “key” is unique to each person, be it through a fingerprint reader or facial recognition system.

However, there are reported instances of these having been bypassed. Facial recognition systems can be fooled by 3D rendering using photographs from social media, and fingerprint locks have been bypassed by tricking the scanner using a fingerprint pressed into gelatine-based material.

Another thought-provoking moment in Sneakers is when Bishop encounters a keypad lock, but is able to get round it by simply kicking the door open, as the doorframe has not been reinforced. Although the moment is played comedically, it raises a valid point of security. Just because the door lock was secure, it does not mean everything else was protected. An analogy from the world of cyber security is the need to consider all network connections beyond the primary access points.

Sneakers also predicted the threat posed by keyloggers, which can record keyboard strokes to detect a user’s passwords. The film shows Janek being videotaped typing his password, until the view is unexpectedly blocked. Although modern-day keyloggers are far more sophisticated, due to the prevalence of the internet, the core threat remains similar.

The internet is everywhere

In Sneakers, it eventually emerges that an organised crime group (OCG) is behind the death of Janek and the conspiracy to steal the black box. Nowadays, OCGs are responsible for most online crime. Just as in the film, criminals are still using the internet to coordinate their activities, but OCGs now also operate numerous online crimes, such as the DarkSide ransomware attack against the Colonial Pipeline.

It is notable that certain governments in Sneakers are also interested in Setec Astronomy. The film later reveals that a US government agency funded it. A cultural attaché, heavily implied to be a spy, also offers Bishop political asylum because of Bishop’s involvement in stealing the black box. As Crease (Sidney Poitier) states in Sneakers: “There isn’t a government on this planet that wouldn’t kill us all for that thing.”

We have already witnessed cyber attacks that are motivated by political ideology and are strongly suspected to have been directly or indirectly sponsored by nation states. As our society becomes ever more reliant on digitally connected devices, cyber attacks against government departments and critical infrastructure are becoming increasingly disruptive.

One of the underlying themes of Sneakers is our perception of information, which essentially predicted social media campaigns and the spread of disinformation. “There’s a war out there, old friend, a world war – and it’s not about who’s got the most bullets, it’s about who controls the information,” says Cosmo in Sneakers. “What we see and hear, how we work, what we think, it’s all about the information.”

Cosmo wants to redistribute wealth by bringing down the economy – not by attacking financial institutions directly, but by sowing distrust.

There have been several disinformation campaigns, such as those that proliferated during recent UK and US elections, as well as at the time of the Brexit vote and the Covid-19 pandemic. These incidents have all demonstrated the degree to which large numbers of people can be influenced by disinformation campaigns and the impact that so-called “alternative facts” can have on society.

Although Sneakers is set in a world before social media and smartphones, the concerns it raises about the nature of security and privacy are chillingly prescient. We are still facing concerns about the possible obsoletion of encryption and what that would mean for information security. Although the technology has aged significantly, Sneakers’ adherence to the core principles of security, with their use of social engineering attacks, ensures that the film’s themes are as true today as they were when it was first released in 1992.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close