Cybercrime in Hollywood: Why hacking is portrayed more accurately than you think
Our cloud security experts break down hacker scenes in movies and series released over the past 40 years
It’s a trope nearly as old as the movies themselves—hacking scenes are often the most dramatic, ridiculous, and can even border on unbelievable. After working in the security world, it made me wonder, could hackers really take control of a moving car? Or spy on you through the webcam on your laptop? How about shutting down a power grid?
You might assume movies and TV shows exaggerate hackers’ abilities for entertainment value—I know I did. But, it turns out Hollywood gets it right more often than you’d think. And even when they do miss the mark, it’s not always because they’re embellishing—the frightening reality is that hackers are more powerful today than many filmmakers and producers ever predicted.
Thankfully, not everyone is surprised at how far cybercriminals have come. To find out more, I turned to some of my favorite cybersecurity experts—two of Lacework Labs’ cloud security researchers Chris Hall and Greg Foss, who both consistently stay ahead of hackers and their techniques.
Chris, who worked in the US intelligence community for several years and founded a cyber intelligence company, and Greg, who ran a global security operations program and worked as a security analyst for the federal government, combined their unique security expertise to help me separate fact from fiction in these 10 scenes. We gave each a score from 1 to 5 (🔓🔓🔓🔓🔓), with 5 being the highest.
Jason Bourne (2016)
It can’t possibly be this easy to hack the CIA…right?
In this scene from Jason Bourne, we see former CIA analyst Nicky Parsons (played by Julia Stiles) breaking into the CIA’s server and downloading Black Ops files.
The defenders at the CIA headquarters detect the attempt right away when Alicia Vikander’s character notices a glitch in the packet count, which sends the team into a panic. However, Nicky is able to get the files she needs before they can do anything about it.
As it turns out, hacking the CIA isn’t this easy. Even if you’re an ex-employee, you probably can’t hack right into their network from your own computer.
“This type of data would normally be in a sensitive compartmented information facility (SCIF) off network,” Greg said. It would be unlikely for someone to be able to hack into the server unless they were using a device already on SIPRNet, which is the network used by the Department of Defense and State Department to transmit and store classified information.
“In the beginning, we saw a file on the computer named ‘Black Ops.’ That’s like having a file on your desktop called ‘Passwords,’’’ Chris said.
Chris, who worked in the US intelligence community for several years, explained that instead of having one folder with all of that important data, the information would more likely be compartmentalized. Very few people in the agency would be able to view all of the operations like was shown in this scene.
“The fact that they could trace and attack within 30 seconds, that wouldn’t happen,” Chris said. If the hackers were using their home computer without obfuscating where they’re coming from, they might be able to isolate their location, but it’s doubtful that any hackers wouldn’t use a VPN.
The clip also shows the team accessing several IP addresses in just a few seconds—is that realistic?
Greg explained, “They would probably have to subpoena each one of those for access. It would be a months-long process for them to even build that trail, if at all possible, assuming all those places have logs and retain data.”
Shutting down the power is also far-fetched. If it was a facility they owned, it could happen. But if it’s not their facility, and they don’t have malware already on it, it’s not very likely.
Score: 🔓🔓
Sneakers (1992)
Sneakers is about a group of hackers who steal a “black box” decoder that exploits a flaw in the encryption algorithm, which means the box has the power to crack any encryption code in the world.
This scene shows the hacker group using the black box to crack three major systems in less than a minute, including the US power distribution grid and air traffic control system.
You can see the group realizing the gravity of what they’ve discovered toward the end of the scene as River Phoenix’s character says “So it’s a code breaker,” to which Robert Redford responds, “No, it’s the code breaker.”
So could this sort of code breaker really exist? Today, the intelligence community investigates these open algorithms for years to make sure there’s no way to exploit them. And this won’t change until we get a monumental leap in computing power.
In the future, if someone used powerful technology like a quantum computer, they might be able to crack a complex key quickly like we see here. But with the technology they’re showing from 30 years ago, it’s not realistic.
Although hackers couldn’t crack a complex key in one minute, they could access the systems that they’re showing here—and they could do that without any state-of-the-art technology or hacks.
“These systems are actually a lot more accessible and open now than they made it seem here. Nowadays, people can use Shodan to find industrial control systems and all sorts of things that are just open on the internet,” Greg said. “It’s actually worse than what they show here, especially now. Back in the 90s, there wasn’t as much on the internet, but now, everything is connected.
Shodan is a search engine that both security researchers and hackers use to find open and vulnerable devices on the internet.
For example, at the Black Hat conference in 2017, two security researchers explained how easy it was for them to hack a car wash and exploit it to physically attack anyone who enters it. They found a car wash connected to the internet, used a default password to log in, and then were able to control the machinery and shut down the safety systems.
“It’s the same with the cloud,” Chris added. “Misconfigurations or forgetting to change default credentials are some of the biggest access points for hackers.”
So while this scene was not technically realistic in their scenario, it’s terrifyingly more realistic now.
Score: 🔓🔓🔓
The Fate of the Furious (2017)
I was hesitant to show Chris and Greg this clip of a cyberterrorist hacking into cars in New York City—I thought they would immediately laugh at its ridiculousness. So I was shocked when they told me something similar could happen… and it actually did.
In 2015, two security researchers remotely hacked a Jeep and took over the car brakes and accelerator as it was moving at 70 mph.
While it’s possible to hack one car, hackers probably wouldn’t be able to take over all of the cars in a major city, as suggested in this scene.
The researchers who took over the Jeep found a vulnerability in a specific service—the car’s Uconnect system—which was connected to the vehicle and allowed them to control its components.
“The first part where they were zooming in from orbit and then somehow able to see inside the vehicle from space was unrealistic. This technology might exist, but if so, it’s highly classified and probably not accessible to cyber terrorists,” Chris said.
This was a recurring theme in all 10 of the clips we watched. Filmmakers create a visualization to explain a concept and make it look much more interesting than it actually is. While in reality, it’s very different… and super boring. Hacking a car looks more like code in a terminal.
Score: 🔓🔓🔓
Blackhat (2015)
We finally have a real(ish) scene! Weirdly enough, it’s crammed into a movie where Chris Hemsworth spends most of the time in shoot-outs and car chases.
Greg actually went to see this movie with fellow cyber-expert coworkers. They made fun of most parts of the movie—but not this scene, which shows a classic phishing attack.