In the midst of shootouts, hand-to-hand close quarter combat scenes and a car chase that destroys most of the Las Vegas strip during a tech conference, Jason Bourne, the latest installment of a now-five movie series, was built around a theme of cyberwarfare that wasn't all movie magic.
The film includes a high-profile data breach that dwarfs the Snowden revelations, secret surveillance programs enabled by major tech firms and a government request for a backdoor in the name of national security.
Jason Bourne tackles real world cybersecurity issues including privacy, metadata collection, hacking, data leaks, and cyberespionage in ways that aren't that different from real life, according to some cybersecurity professionals.
In one scene, a protagonist remotely hacks into a database using SQL to corrupt the database and then uses a backdoor to exfiltrate files.
Although the scene doesn't show exactly how the hack is carried out, “it is possible that hackers using TTPs which includes SQL injection attack and backdoor exploits can steal your data,” Ajay Uggirala, director of product marketing at Imperva, told SCMagazine.com via email.
The film also included officials being alerted about a data breach in real time, identifying the location of the device used in the intrusion and embedding tracking code within the exfiltration and identifying a perpetrator using a database of known devices previously used in suspicious activity.
All of which are feasible capabilities and responses to a data breach, Uggirala said.
“The movie wasn't simply another action flick, but a brief look at several key elements facing our modern society,” Brad Bussie, director of product management at STEALTHbits Technologies, told SCMagazine.com via email.
“The privacy issue that the Bourne character becomes wrapped into is similar to that of a real-life story that continues to unfold between Apple and the FBI,” Bussie wrote. “There are also similarities in the film between the phone monitoring that the government was recently blasted over – when classified material was leaked to the media – and the fictional launch of total device control through a developer backdoor."
The film also raises questions: To what extent can we trust large tech firms with securing metadata and how will these companies hold up under government pressure?
Catherine Allen, chair and CEO of Santa Fe Group, said the movie references the CIA investing in startups, which the agency has done, and the agency's funding of security and data-related businesses.
“The movie points out the privacy/national security tug of war.....an ongoing issue as recently exhibited by the Apple phone access to get terrorist information,” Allen told SCMagazine.com via email. “National security agencies want backdoors to all devices, which opens up huge security, as well as privacy, concerns. The movie was simplistic on these points, but at least took a stab at it.”
Allen said that she is less concerned about NSA activities than she is over the information Google, Amazon and social media sites have that might be used for more than commercial purposes and by foreign governments.
Other experts agreed. Michael Patterson, Plixer CEO and founder, said the tech firm in the film also reminds him of real-life social media capabilities in the U.S.
“The company Deep Dreams [in the film] reminded me of a large social media company in the U.S. that has invested heavily into facial recognition technology,” Patterson told SCMagazine.com via email. “I didn't think it was all that far-fetched.”
Like it did with the bad guys with bad aim and high-speed chases during "covert" operations, the filmmakers took some liberties concerning cyber capabilities.
“I did think it was a little strange when the GUI of their security system showed the hacker working his way past their three firewalls,” Patterson commented. “I was thinking to myself, 'Well, if you know the IP address, block it.'”
The film also features a scene in which a character accesses a mobile phone to hack into a nearby air-gapped or firewalled computer to delete fails.
“Gaining access to the mobile phone is a possibility, but hacking into what seemed to be an air-gap computer from a mobile phone is far-fetched,” Uggirala said. He added while it may be possible to bypass firewalls, it is not possible to remotely access and control devices from a mobile phone in the way shown.
Luther Martin, distinguished security technologist at HPE Security-Data Security, said scenes like this were in the best tradition of Hollywood, making things more interesting and exciting than they really are at the expense of realism.
“In this movie, we see that cracking encryption is no more difficult than typing some command,” Martin told SCMagazine.com via email. “In reality, however, encryption provides an extremely high level of data protection.”
Overall, most of the researchers enjoyed the film and said it presents a lot of interesting cyberespionage topics in a fun way.