NBC may be the latest culprit in disseminating fake “crazy Sochi,” stories, according to one cyber security firm, which claims that the news outlet’s recent report on hacking in Sochi is pretty much totally false. (Update: NBC has responded to this story below.)
This week, NBC aired a segment of Richard Engel allegedly showing his computer being hacked upon connecting to the Internet in a cafe in Sochi. According to Engel, “it doesn’t take long here for someone to try to tap into your laptop, cellphone, or tablet.” When introducing the segment, Brian Williams says:
As tourists and families of athletes arrive in Sochi, if they haven't been warned and if they fire up their phones at baggage claim it's probably too late to save the integrity of their electronics and everything inside them. Visitors to Russia can expect to be hacked, and as Richard Engel found out upon his arrival there it's not a matter of if, but when.
The message is pretty clear. In Sochi, the Internet hacks you.
Engel and security expert Kyle Wilhoit set out for a cafe, where they browse an Olympic website using a mobile device. According to Engel, the phone began to download malware “almost immediately,” and “hijacked our phone before we even finished our coffee, stealing my information and giving hackers the option to tap and record my phone calls.”
Wilhoit adds that Engel’s computers were infiltrated in “less than one minute,” and that hackers started stealing data within 24 hours. To avoid a breach, Engel recommends avoiding public wifi and unnecessary devices, which is a tall order for visitors who are likely fearing a terrorist attack, and may want access to their state department sites.
It’s easy to take the story at face value. Conditions in Sochi are (in some cases) genuinely concerning -- with journalists telling of open manholes, dangerous hotel water, and double-booked rooms -- and a major hack on U.S. retailer Target has been traced back to Russia. But reporters in Sochi have been exaggerating the extent of their troubles, and a number of fake images and stories have emerged online. And security expert Robert Graham thinks this story should be taken with a very large grain of salt.
Graham writes on his website that Engel is extremely misleading in presenting his case, listing three major offenses:
1. They aren't in Sochi, but in Moscow, 1007 miles away.
2. The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
3. The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
According to Graham, Engel did, indeed, get hacked in the cafe -- but not because he connected to their wifi. Graham argues that he would have only been at more risk of the breach in Russia than in the U.S. because Google promotes home-country sites, so he is more likely to have been directed to a fake Olympics site in a Russian cafe than an American one. But other than that, any breach could have been avoided by basic Internet safety measures like, in Graham’s words, “don’t click on stuff.” Graham says the only other thing he learned from Engel is "don't let Richard Engel borrow your phone,” but that Wilhoit did offer some helpful information -- although the NBC segment didn’t broadcast it:
[Wilhoit is] working on a blog with the full technical details. I'm sure it'll be great, with lots of details about what hackers can find with Maltego, the dangers of hostile websites, and so on -- the sort of great information totally lost in the nonsense that is the NBC story.
According to CNET, NBC has yet to respond to the allegation. But some techies on Twitter have already sided with Graham and are favoring his perspective.
Seriously embarrassing for NBC and Richard Engel. If a Russian journo was this unprofessional in America we'd laugh. http://t.co/oSUQR7hP3E— Tom Gara (@tomgara) February 7, 2014
Just saw the NBC News story on Sochi hacking. So… Engel clicked on malware and installed it on his phone? Seems kind of FUD-dy— Mat Honan (@mat) February 6, 2014
Errata Security makes a compelling case that Richard Engel's hacking report was misleading at best, false at worst http://t.co/cxCYeiizWH— Alex Weprin (@alexweprin) February 7, 2014
Even if Engel's story is false, people in Sochi should probably be careful about how they use their devices. You wouldn't want a dancing mall bear to take off with your personal information.
Update: NBC has responded to Graham's blog post, calling it "completely without merit." In a statement, an NBC News representative issued a point-by-point reaction:
1- From the very first frame it was made absolutely clear that the piece was taped in Moscow. Richard welcomed the expert to Moscow on camera, in front of a well-known Moscow landmark.2- Of course this type of cyber attack can happen anywhere in the world, but the point we were demonstrating is that a user is more likely to be targeted by hackers while conducting search in Russia, and that such attacks happen with alarming speed from the moment a user goes online.3- The story was designed to show how a non-expert can easily fall victim to a cyber attack when they are deceived into downloading a piece of malicious software that is disguised as a friendly message or alert. Just like any regular user, Richard went online, searched sites and was very quickly targeted and received a tailored fake message designed to trick him into downloading the software.
The representative added that "we also simultaneously published a 3-minute video on nbcnews.com for viewers more interested in the technical details, and it goes into more depth about how we conducted the experiment and what the results were."