Thoughts Coffee, Malboge, and Diamond Heists

In Elementary season 1, episode 10 "The Leviathan" - a super, ultra, mega high tech, impregnable vault named "The Leviathan" located in a diamond exchange is cracked and a bunch of diamonds are stolen. Sherlock is hired to figure out how the thieves broke into the vault. Amusingly, this same vault was robbed 4 years earlier by a crew of 4 people - but no one talked at their trial. Sherlock quickly deduces how most of the vault countermeasures were bypassed, but gets stuck when it comes to how the vault code itself was bypassed.

Glossing over most of the episode, we jump to the "solution" which was printed on the back of a coffee order used by the first robbery crew which was shown at the crew’s trial.

Malboge on the back of a coffee order

Sherlock recognizes that as the programming language Malboge (named after the 8th circle of Hell in Dante's Inferno) and sends it off to a colleague to decipher. He gets the following back.

Decoded Malboge into a mathematical equation

"That's it, they attacked the random number generator!”

It’s an algorithm, Watson

Wait, what just happened here?

From what the show described (with no small amount of handwaving), the “solution” is that the thieves hacked the Leviathan’s software and fed an equation into it. That equation is what Sherlock received on his, what looks like iOS 5 or iOS 6, phone. So, instead of the vault using a true random number generator , it is unknowingly using a deterministic pseudo-random number generator with a seed value of pi.

I’ll confess to not really understanding that equation, as the variable part of the equation just shows pi which is a constant, so the result would be constant. However, If pi is considered a “seed” value and time is taken into account in calculating Q, then I suppose it could make sense. But whatever, that’s not particularly interesting to me. I want to look at the technical stuff.

Hello, Malboge!

According to Wikipedia , the source code written on the screen shot above is not an algorithm, but it is actually a Hello World example. Hello World is typically the first program someone will write in a language they are learning. Wikipedia’s Malboge examples have been shortened over the years, so you'll need to view an old version to find Elementary's code on Wikipedia .

I've got no hate for this. Malboge is an esoteric language that is intentionally designed to be unreadable. It would make no sense to write anything remotely "real" for the sake of a one second snapshot on a TV show, so snagging Hello World off of Wikipedia is totally legit. I mean, someone could have just smashed their keyboard to the same effect… At least this way, the code is theoretically compilable.

Fun side note: While looking at this scene in detail, I noticed that the names written on the front of the coffee order are actually the names of the second robbery crew, not the first. I briefly thought I found an undiscovered goof, however someone on IMDB always beats me to the punch.

Front of the coffee order - wrong crew

Why would you use Malboge?

For the show, it's a nice plot device - but in the real world, it doesn't make a lot of sense to me. When choosing a programming language for a project, a lot of factors are taken into account... Target environment constraints, familiarity with the language, library support, tooling, etc... But most of these are developer-experience (DX) concerns - as in, what the humans want to use. The computer doesn't really care so long as the code is eventually turned into machine code.

Because of how strange and esoteric Malboge is, the only way a piece of Malboge code could affect the random number generator (RNG) is if there was a Malboge interpreter on the vault or RNG itself, which is completely insane. That code would likely be C, C++, or maybe a PLC-based language.

So, why would you choose to use Malboge for a bank job?

How do you attack a random number generator?

This confused me when I first watched this episode. How do you just attack a vault’s random number generator with a piece of code you wrote at home on a weekend?

Any device that requires truly random numbers (like a vault or anything in cryptography) should use a Hardware Random Number Generator (HRNG), also known as a True Random Number Generator (TRNG) - which generates randomness from statistically random physical processes (like digitizing thermal noise). That's a pretty tight component with minimal/no firmware, which isn't really in a position to be re-programmed and start emitting customized equations.

I originally thought that this code was injected into the Leviathan at the diamond exchange during the robberies, but that makes no sense for a couple reasons.

  1. You can't just inject code into electronics - that's very much a TV/movie trope. Unless the device in question is ready to execute code, or can be re-programmed, that’s not much of an attack vector. Even if it was possible to re-program the vault, it’s more likely the new code would just brick it. I’d also guess that the vault’s programming interfaces would be on the inside, to really clamp down on attack vectors.

  2. On subsequent viewings, I caught a comment that someone with the PRNG algorithm can crack ANY Leviathan - so that made me think that the equation was being shipped with the vault. Either injected at manufacturing time, or directly in the source code. Most manufacturing attacks can be stymied by the standard process of using trusted suppliers, trusted manufacturers, and using encrypted firmware/software for installations. If it was injected at the source - that would be awful because it means that the company doesn't do code reviews, monitor git commits, and has a failing software workflow. Note: It’s not impossible for malicious code to come from the company itself - but given the size and the stakes, I find that hard to believe.

For brevity, I’ll leave aside the other handful of code injection problems and just go with it.

This also got me thinking about where you would inject this equation in the code itself. Assuming a hardware RNG in the vault which transmits data to a microprocessor or microcontroller over some communication interface, I think the equation could essentially function as a mock hardware random number generator. It’s the kind of thing I would use in development and testing, so it seems like a reasonable place to inject that malicious code.

All of the above is strictly related to a comment in the show about “attacking the random number generator”. I then started to think about what attacking that generator would do, because the vault needs to function correctly before and after the heist.

Time-based One Time Password

At one point, the creator of the vault is explaining some of its security features and mentioned that the 10-digit security code is only available on a hardware key to the vault owner, and it changes every 2 minutes.

What he's describing is fundamentally TOTP - where a shared secret key and an accurate clock are required for all parties to agree on a set of valid passcodes that change every so often.

Simple example of TOTP data flow Twilio

This is how most two-factor authentication techniques work, using Google Authenticator, Authy, etc. When you want to enable 2FA (in Gmail for instance), you scan a QR code (which is the shared secret key) and then your phone and Google’s servers know how to agree on a short 6 digit passcode (assuming your phone’s clock is working correctly).

It’s also really important to know that the QR code (shared secret key) isn’t on a 1:1 basis with your phone. You can grab more phones and scan that same QR code and you’ll see they all show the same passcode at any given time. One example of when this can be handy is if you have a shared account with someone and you're not sharing a password manager that can also handle TOTP.

A code that changes “every two minutes” is cool, but the recommended time-step size for TOTP according to RFC6238 is 30 seconds, while allowing for 1 time-step of latency. So, the vault creator half-bragging about a 10 digit code changing every two minutes was kinda weird…

So, this all leads me to believe that the Malboge equation, however it got into the vault(s) code, actually affects generation of the shared secret key - so that the owner’s key fob still works. I still don’t fully understand how this would work - because does that mean the vault creates the shared secret key (which is influenced by the Malboge equation) and then that faulty key is transferred to the key fob…?

If so, that’s a strange way to setup the system. I would have naturally assumed that the shared secret key was created back in the creator’s labs or at manufacturing time, then it’s simultaneously injected into the key fob and vault. But, I suppose if the vault generates it - then it’s theoretically “offline” so that not even the manufacturers or vault designers would know about it.

The number generator is working perfectly

That line of dialogue was spoken very early on in the show, and it made my brain itch. I started trying to figure out HOW they know it’s working perfectly.

Not how do they know it’s working… But how to they know it’s working PERFECTLY. What is a perfect random number generator?

Dilbert comic about random number generators Dilbert

I won’t dive into this, because it’s a complicated topic - but essentially you can run a visual analysis and just try to “see” if something is random. It’s not great, but it will point out a lot of flagrant errors (i.e. the one on the left looks like random noise, the one on the right has an obvious pattern - explained here ).

Visual comparison of random data and a broken random number generator Random.org

In addition to visual tests, you can really only run statistical probability tests - and you have to run a lot of different ones, and you’ll have to concede that there exists some random number permutation which can, some where, some day, cause any of those tests to fail.

Haven’t I done this before?

Many years ago, while working on Bluegiga products using the very limited BGScript language (which did not have any random number generators), I wrote a pseudo-RNG . In that post, I walked through some of the obvious flaws of trying to write a PRNG using deterministic calculations and how I tried to overcome them to make something usable, but not cryptographically secure. For example, each device had a seed based on their MAC address, to lower the probability that any two devices would produce the exact same values. Then, I added some thermal noise to reduce the chance that a single device would repeat the exact same set of numbers on reboot.

In that post I did some basic visual and statistical tests, but nothing remotely rigorous because it was never meant to be cryptographically secure. It was just something to add ANY decent level of randomness to one of my applications.

Visual analysis of BGScript pseudo-RNG

Footgun

This episode takes place around 2012-ish, so the real WTF to me is... Why did the original hacker print out his code? Who prints out code? The only explanation I can think of is that he had to sneak into the Leviathan offices, which are some sort of super-secure workspace where you get scanned for outside electronics. So, naturally he had to print out a page of gibberish while breaking into the offices, in order to hijack a computer, re-type the printed out Malboge, and then magically inject the code somewhere where it could do... ummm... something about attacking the random number generator, which then did something else with pi that let the hacker break into the vault.

Okay. Fine. I'm on board with all that.

BUT! Why wouldn't you shred the only piece of evidence when you got home???