NBC's Sochi Hacking Report Misleading, Says Computer Expert From Report and Others
After NBC News aired a report warning visitors to the 2014 Sochi Winter Olympics that it will be "open hunting season" for hackers, security experts -- including the one shown in the report -- are saying the report is overblown and misleading.
With all eyes on Sochi, Russia, NBC News's foreign correspondent Richard Engel reported on the NBC national evening news that upon arriving in Russia, he was hacked "almost immediately."
Hacking in Sochi?
As Latin Post previously reported, Engel spoke with American security expert Kyle Wilhoit who set up phony information linked to Engel's name on two laptops and a Samsung Galaxy S4. You can watch the report here.
In the report, we see Engel meeting with Wilhoit at a café and Engel said he searched for information on the Sochi Olympics when according to Engel, "almost immediately, we were hacked." Engel said malware had been downloaded on his smartphone before they were able to finish their coffee, giving hackers access to his private information and the ability to hijack his phone.
Engel also unpackaged two laptops -- a Mac and a PC -- and said that once the laptops were online, "it had taken hackers less than one minute to pounce.... Within twenty-four hours, they had broken into both computers and started helping themselves" to Engel's faux-personal information.
Not So Fast
Security experts have looked at Engel's report and are crying foul: Robert Graham of Errata Security even went so far as to say the NBC story was "100 percent fraudulent."
"The story shows Richard Engel 'getting hacked' while in a cafe in Russia. It is wrong in every salient detail.
- They aren't in Sochi, but in Moscow, 1007 miles away.
- The 'hack' happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
- The phone didn't 'get' hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
- ...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update]."
Parsing the Engel Report
On Graham's first point, one thing to mention about the report that is that it didn't appear to be a deliberate misrepresentation of their location. Several shots of the background were clearly Moscow, and, as an NBC News representative told CNET, the report made it clear from the beginning that the taping was in Moscow. However, the message of the report, that the Olympics (in Sochi) is "open hunting season" for hackers, loses its impact because Engel wasn't actually there.
But the Engel report also contains elements that were plainly misleading. Graham's third and fourth points, for example, appear valid.
Engel did click on a file download from his smartphone's web browser to download an APK file -- a self-installing software file for Android. As the Washington Post's Brian Fung pointed out, you have to disable a built-in Android security lock to allow downloading Android software from anywhere but pre-cleared app stores like Google Play.
So Engel had to manually download the file -- it wasn't pushed on his smartphone, as the report would have you believe -- after he found a dangerous website hosting the APK. After he manually downloaded it, he also had to open it himself.
While Engel might have been trying to simulate the "everyman" using the internet, he actually went beyond automatic safeguards that the "everyman" wouldn't normally disable. And one might argue that the average smartphone user knows to heed warnings about downloading and installing files -- as well as to generally not click on things willy-nilly. As Graham puts it, the moral of Engel's story seems to be "don't let Richard Engel borrow your phone."
Graham's second point, that the hack wasn't necessarily due to using Russian networks, but because of unsafe behavior, is something even Kyle Wilhoit -- who was the security expert in the report -- agrees with. On his Twitter account after the hacking report came out, Wilhoit said "Unfortunately, the editing got the best of the story. Cut a lot of the technical/context details out."
Wilhoit later agreed to write a blog post detailing what he really thinks of the Engel report saying, regarding the hacking of Engel's computers, "In this case, he would have been hit in Russia; just the same way he would if in Philadelphia." That's because Engel clocked on an unverified attachment on an email, recklessly opening himself to phishing attacks -- yet another thing that your "average" internet user probably knows not to do. Engel's computer would have been malware-ridden in any location, not just Russia.
Wilhoit, who is in a special position to know, says the editing of the Engel piece is ultimately to blame for misleading viewers:
"Finally, to reiterate, while all three devices looked like they had been compromised with no user interactions that was just not the case. Incorrect impressions may have been formed due to the editing process; no zero-days were used and all infections required plenty of risky behavior to succeed."
The Truth About Sochi
This doesn't mean that visitors to the Sochi Olympics don't have a privacy problem. Normal behavior, like signing on to public WiFi networks, in Sochi will indeed open users up to hacking and surveillance. A better report about hacking risks at Sochi would have addressed hacks such as "man in the middle" attacks, which can specifically target Sochi visitors on unsecured WiFi.
But the note at the beginning of Engel's report is probably the most telling of all: the U.S. State Department has indeed warned U.S. visitors to the Sochi Winter Olympics that they "should have no expectation of privacy," even in hotel rooms.
However, it doesn't mean that the average internet user anywhere will be hacked "immediately," unless they behave recklessly online, click "yes" to anything that pops up, and have installed absolutely no malware protection on their devices -- basically behaving like a journalist who wants to prove how quickly he can be hacked, for example.
And it doesn't mean that visitors to the Sochi Olympics have to completely leave their devices behind, as Engel's report advises. It just means they have to be more careful than usual -- something that should be obvious to anyone visiting a high-security event where thousands of people from around the world are gathering.