On a recent weekend, I watched two movies, each of which used an element of computer security as a plot point. In one case, there was an example of extremely lax security, the kind of worst practice that we constantly warn against. In the other, someone was hacked by a seemingly magical device that, just by its presence near a character’s computer, allowed another character to access the computer and copy files.
For expediency, computer security and hacking tend to be portrayed unrealistically in movies and on TV, in part because realism would slow things down. But this depiction gives the wrong idea to users who watch these films and are influenced by what they see. Viewers expect verisimilitude in movies and TV shows, and directors and show runners often go to great lengths to present the world correctly (unless it’s a fantasy movie or TV series), through extensive use of consultants. But rarely is computer security depicted accurately.
(Warning: minor spoiler alert)
The first movie I saw recently was The Good Liar, with Ian McKellen and Hellen Mirren. McKellen plays a con man, and it quickly becomes obvious that he’s the one who is going to be conned by Mirren’s character. At one point, they agree to put their funds in a joint account—£2.7 million for one, and £3.8 million for the other—via some sort of tablet that the supposed bank in the Cayman Islands has provided to them, via a financial advisor (working with McKellen). The need a password, and one of the characters points to a painting on the wall, to suggest something easy to remember: lilies. A six-character, lowercase letters-only password. To protect £6.5 million.
The second movie was Focus, with Will Smith and Margot Robbie. This was another con-artist film, with both characters working together, then apart, then sort-of together again. At one point, Smith’s character gives Robbie’s character a necklace, and she takes it back to her hotel room and drops it in her suitcase. But, aha! This necklace contains a miniature device that hacks into her boyfriend’s computer, even though he’s using an advanced hardware device that changes its login password every 15 minutes. The device allows Smith’s character to access important data.
Neither of these plot devices affect the plot’s apparent truthfulness, yet they present one very bad practice (the six-character password) and one nearly magical device. Of course, these examples are almost coherent, compared to some of the ideas seen in movies and on TV.
One of the most ridiculous tropes of film hacking is what happens when criminals or hackers crack passwords, PINs, or digital bank safe locks. Some call this the “password slot machine” trope. Passwords are not cracked like physical locks, where you can manually pick one tumbler at a time, but as whole units. There’s no way to figure out one character of a password at a time, since passwords themselves aren’t actually stored or validated this way. Hashes, which are the result of mathematical operations performed on passwords, are what is actually stored, and this makes it impossible to find the original password (or any individual characters therein) from the hash.
When hackers try to crack a system or breach a firewall, there is always a way to know how much progress they’ve made, and how close they are to success, right? Movies and TV shows often display progress indicators when hackers are doing their deeds. They show the progress of a hack or breach as it is occurring, as if it is something that can be timed. These progress indicators display sometimes in a standard horizontal bar, like what you see when you’re installing software, and sometimes as numbers counting up or down. One example is this scene from the TV series Castle, where you can see progress percentages increase as the hack nears completion (along with many, many other hacking tropes).
Hackers often have to send code to other computers to crack them, and this process is rarely depicted realistically in film and television. A classic of bad movie hacking occurs in Independence Day, when Jeff Goldblum’s character uploads a virus from his PowerBook to the alien mothership. Of course, he was able to connect to the ship, understand its operating system, and create a virus that would work in spite of any protection it might have. Yes, the Aliens had Macs (or, at least, Mac-compatible alien tech).
Hacking is esoteric, so the way to portray it on film is to make it look complex and impenetrable. While it can be a complicated process, it’s nothing like what we are shown on computer displays in movies or TV shows.
The random green characters on a black background in The Matrix, for example, are nothing more than a fancy screen saver. And when you see a hacker perform some command on a computer terminal, then a long flow of code display on the screen, that’s not at all what hackers actually see. Hackers do often use the command line, which returns text output, but nothing like the amount of code that typically displays on screen in films.
In addition, the output depicted in entertainment media is often source code, or actual application code. Hackers may see text on screen, but it is generally utilitarian: it shows the results of a query, for example, with IP addresses, domain names, etc.
Another common and comical effect, as shown below in a scene from NCIS, is when hundreds, even thousands of windows display on a screen. No hacker would be able to do anything with this morass of information.
Blockbusters need to make hacking look interesting, and in this scene from Skyfall, Q is analyzing a computer to try to thwart an attack. The display shows a wide variety of gobbledegook, including a very active visual of data points that slowly morphs into a diagram of the London Underground.
In this Wired video, security researcher Samy Kamkar looks at 26 hacking scenes from movies and TV. He points out that some of them are realistic, but also highlights that that are ridiculous.
If you’re interested in movies where hackers and cybersecurity feature as key plot points, this is a comprehensive list.
You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest news. And don’t forget to follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the