In ‘Blackhat,’ hacking details ring true, security pro says

Chris Hemsworth, left, plays Nicholas Hathaway and Viola Davis plays FBI Special Agent Carol Barrett in a scene from the movie "Blackhat."
(Universal Pictures / Associated Press)
Share via

Hollywood’s take on hacking is often wrong. But Michael Mann’s “Blackhat,” which opened Friday, is one of the rare films that gets it right, according to security expert Kevin Mahaffey.

Movies depict geniuses who are able to will their way into people’s computers. They show hackers guessing passwords and entering systems to swipe personal and corporate data. These sensational and sinister depictions may make for thrilling entertainment, but “in most movies, when hacking happens, it’s usually totally fake,” said Mahaffey, chief technical officer of mobile security company Lookout.

When “Blackhat,” the cybercrime thriller starring Chris Hemsworth, was screened to a roomful of cybersecurity experts last week, everyone agreed that it was the most accurate depiction of hacking they’d seen in a film, he said.


According to Mahaffey, that’s important for a couple reasons: First, it highlights the real threats hackers pose to cybersecurity. And it will make clear to moviegoers the ways they’re actually vulnerable to hacks.

“The hacks in the movie relied on humans being the weak link,” Mahaffey said. Cybercrime movies usually feature hackers whose technical chops give them total control of systems. In “Blackhat,” “hackers find a weakness in a system, but ultimately use a human to exploit that weakness” -- a lot closer to real life. “For example, they’ll send someone infected documents and get them to open it. That’s one of the top ways cybercriminals get into private and government organizations.”

Another hacker scheme in “Blackhat” uses a USB key to get into someone’s computer. Oftentimes, people unknowingly insert infected USB sticks into their devices, which can be the equivalent of opening the front door of their house to burglars.

Another thing the film got right, he said: the potential for hackers to get into industrial control systems that control things such as factories and power plants.

In an early scene in the movie, hackers take a nuclear power plant offline. While this may strike many moviegoers as fantasy, it’s actually already happening. The Stuxnet computer “worm” is thought to have damaged Iranian nuclear centrifuges in 2010. In late 2014, a German steel mill was attacked by hackers, which caused machinery to spin out of control and created significant physical damage.

“It should cause people to put thought into how we secure our systems,” Mahaffey said. “We should be thinking critically about our power infrastructure, our medical infrastructure, and making sure we hold people accountable for investing in that security.”


Mahaffey said “Blackhat” had other important accuracies, such as depicting hackers as not all good or bad, but on a spectrum. There are good hackers and bad hackers, he said. The good hackers -- or “white hats” -- look for weaknesses in systems so they can help governments and corporations strengthen their security. The bad hackers -- or “black hats” -- look to exploit weaknesses for criminal activities.

Cybersecurity aside, “Blackhat” has an even bigger takeaway for viewers, Mahaffey said.

“I hope that people take away that all hackers look like Chris Hemsworth.”

Twitter: @traceylien