Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response

from the because-'being-careless-will-get-you-hacked'-isn't-headline-material dept

Earlier this week, NBC “reported” that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel’s cellphone and laptop being compromised “before he even finished his coffee.”

All very scary but all completely false.

Errata Security points out that the entire situation was fabricated.

The story shows Richard Engel “getting hacked” while in a cafe in Russia. It is wrong in every salient detail.

They aren’t in Sochi, but in Moscow, 1007 miles away.

The “hack” happens because of the websites they visit (Olympic themed websites), not their physical location. The results would’ve been the same in America.

The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone.

…and in order to download the Android app, Engel had to disable a lock that prevents such downloads — something few users do [update].

While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn’t have disabled the default locks on their phone, as Robert Graham at Errata Security points out.

The truth makes for a much less interesting story, however, and as Graham points out, Engel’s use of the passive voice (“the phone was hacked” rather than “I downloaded a virus”) deliberately obscures what’s actually happening on the video. It’s not Sochi’s wireless connections that are “infected,” it’s the sites themselves. No one’s getting hacked instantly unless they’re going out of their way to act carelessly in a potentially hostile environment. Following normal internet safety procedures should keep journalists and Olympic fans protected — preventative measures that NBC could have chosen to deliver with its report, except that they would undercut the narrative it was crafting. There is no doubt that the influx of out-of-town visitors presents an enticing target for aspiring hackers, but there’s no reason to believe any device will be insta-compromised the moment it connects to the internet.

NBC, for its part, seems to think the only way to wipe this egg of its face is to apply more egg, as c|net reports:

“The claims made on the blog are completely without merit,” according to a representative from NBC News.

The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.

But NBC’s story carried this headline:

Hacked Within Minutes: Sochi Visitors Face Internet Minefield

Even with the appended disclaimers, the report was obviously intended to present Sochi as a hackers’ paradise where anyone — even those not stupid enough to visit rogue websites or purposefully sideload sketchy apps — can be compromised before their coffee cools. And the phrasing used by the reporters is equally as misleading. The following quotes are taken from the transcript (which, to NBC’s credit, opens up with “Welcome to Moscow”).

>> reporter: good evening, brian. the state department warns the travelers should have no expectation of privacy. even in their hotel rooms. you are immediately exposed as soon as you try to communicate with anything. one of the first thing visitors to russia will do is log on. hackers here will count on it. we decided to find out how dangerous that could be.

>> reporter: with our new computers loaded with attractive data, we headed for a restaurant, where we used a new smart phone to browse for information about the sochi olympics. almost immediately we were hacked.

>> did you see where it said downloading?

>> i did.

>> it’s actually downloading a piece of malware.

>> malicious software hijacked our phone before i even started my coffee.

This would be the malware consciously downloaded by the reporter. Note that it’s stated that the phone is downloading the malware on its own, rather than with any assistance by the journalists.

>> back at the hotel will hoyt was using specialized software to monitor my two computers. and sure enough, they had also been hacked.

No mention of visiting unknown sites. The assumption is that hackers accessed the computers on their own, rather than having a door propped open by Engel’s visit to malicious sites, most likely sites that any decent browser/search engine would have warned might be an unsafe place to visit.

>> it had taken hackers less than one minute to pounce. within 24 hours they had broken into both computers and started helping themselves to my data.

“Pounce?” On what, the Welcome mat the journalists laid out? God helps those who help themselves to data, but the devil’s editor visits compromised sites in search of a good story.

>> reporter: american athletes and fans now coming to russia by the thousands are entering a minefield. the instant they log on to the internet.

>> the best way to protect yourself is quite simple, if you don’t really need a device, don’t bring it. try to avoid the public wifi. and if there’s anything particularly and uniquely important on your computer or phone, banking information or photographs, remove it before coming to russia.

“The instant they log on…” Obviously false. Pre-priming your devices for failure will “allow” you to be hacked before your coffee cools, but following some very basic security measures will keep devices safer. Sure, there’s likely a higher concentration of hacking activity in Sochi with so many potential targets in the area, but that’s no excuse to promote fear over facts and for journalists to intentionally sabotage their own equipment just to ensure the eyeball-grabbing headline actually fits the content. It’s not just bad journalism, it’s also irresponsible. NBC could have used this time to outline the same basic safety precautions Graham does in its blog post, but was obviously more interested in reinforcing its viewers’ perception that Russia is the Internet Wild West, where even the safest surfer will be hacked to unrecognizability by malicious electro-bandits at the faintest whiff of a wi-fi signal.

Filed Under: , , ,
Companies: nbc

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response”

Subscribe: RSS Leave a comment
Anonymous Coward says:


Yesterday their was a techdirt article on the GCHQ running Operations using journalists &/or their Identities to trick their targets. Now we have a story run on major media telling us what a wild and dangerous place the Internet is, especially in (pick country).

The story has been fined down over the next few news editions to mask the factual complaints raised.

Any-One want to bet on when a “story breaks” that “US zone” of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.

Anonymous Coward says:


Yesterday their was a techdirt article on the GCHQ running Operations using journalists &/or their Identities to trick their targets. Now we have a story run on major media telling us what a wild and dangerous place the Internet is, especially in (pick country).

The story has been fined down over the next few news editions to mask the factual complaints raised.

Any-One want to guess on when a “story breaks” that “US zone” of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.

BSD32x (profile) says:

Wait, so who exactly in the US is 100% guaranteed to be NSA surveillance proof given that the Snowden leaks revealed they have cracked most VPN encryption and are doing everything possible to compromise TOR? We’re one Snowden like contractor with less moral righteousness or a hacker who gains access to the NSA data farm away from a thief nabbing unheard of amounts of data, but we’re supposed to be shaking in our boots because the (according to the same media) inept Russians who can’t do anything right are also master hackers at the same time? Whatever this is, is not journalism.

Anonymous Coward says:

the lies on tv are so many and so obvious. this is no exception. you’d think that anyone would have noticed how phony and how staged that report was.

you don’t just turn on a device to find that something is downloading unless you have enabled such a thing yourself. at least not yet anyway.

I have to question whether this is just more entertainment or [puts tin foil hat on] are they preparing people for a future where devices are designed so poorly that you’ll see things like this actually happening even on brand new devices that have just established their first connection?

[adds tinfoil hat to device before clicking submit]

Anonymous Coward says:

Re: Re:

There was an annoying windows virus back then called LASSER or something like that…you could wipe out the hard drive, reinstall windows, and if you didn’t have pre-installed third party security you would get it over and over again. A window would appear and start a 30 seconds countdown and reboot the machine over and over. I was really in total disarray that somebody could manage to have so much crap on their computer that their IP was permanently targeted like that. It was during the 2k/xp days.

Anonymous Coward says:

Re: Re: Re:

wow, I could be thinking of something else but it seems like I remember something about that. the name even sounds familiar. I also remember one called Sasser worm but that was a worm.

the wiki on it says:
This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service)

Anonymous Coward says:

Re: Re: Re: Re:

That’s what it was 🙂 Had to preinstall a lot of stuff because I couldn’t get any time to download any security programs (free ones, when AntiVir(avira) and SpyBot were more than enough for most people) to repair that person’s computer, I was really amazed then that someone’s computer was so messed up I couldn’t repair it live there without bring stuff burned to CD first.

Anonymous Coward says:

Media spreading propaganda about russia…
What is this the 60s? I thought you guys stopped the commie hating, but what goes on now is sad.
Its obvious that the US tries to discredit Russia at every opportunity. The only problem I see with sochi is that they havent finished it in time. But this whole “everyone gets hacked”, “gays are thrown in gulags” and the latest “Putin should smile more”…
Seriously guys, if you still believe what the media says

Anonymous Coward says:

Likely Reality

NBC takes one well known nugget of truth: Sites can load malicious software to devices automatically if proper security precautions are not taken then combines that with the image of Russia being and evil and dangerous country which requires us to be “protected” by the government surveillance machine that the government wants to further and the hype that surrounds the Olympics, to craft a sensationalistic story complete with an accompanying headline. They then load devices with “attractive data” merely so that they can make that claim, have a researcher find a site that will automatically download such malware, and then have the reporter on camera visit the specific site to demonstrate the download. This isn’t just surfing and accidentally getting infected. No they went looking for a site with malware on purpose to make their story and left out the little detail that the chances of getting exploited could be dramatically reduced if some basic security precautions are taken. If they had presented their demonstration from the perspective of “These are the precautions that people need to take.” This would have been fine, but that wouldn’t have served the purpose of generating the FUD that implies the necessity of the government surveillance machine by demonizing Russia.

Anonymous Coward says:

So full of fail

People who actually understand security don’t use smartphones. Or Windows. Or MacOS. Or Facebook. Or LinkedIn. Or any of the other various combinations of {hardware, OS, applications, web sites, Internet services} that are known-insecure.

I’m quite sure I could take my laptop (which is running OpenBSD) (and not on an x86-based CPU)in there and do just fine.

madasahatter (profile) says:

Re: So full of fail

My first reaction to the article was I would like to take my computer to Moscow and see if I could replicate the problem. I use various Linux distros so the attacks would need to target Java not Java applets.

For most, good security, even on Windows, is being careful about where one visits and keep the OS and software fully updated. Most of my older friends and family rarely get any malware on Windows by following good practices.

Anonymous Coward says:

Re: So full of fail

“People who actually understand security don’t use smartphones. Or Windows. Or MacOS. Or Facebook. Or LinkedIn. Or any of the other various combinations of {hardware, OS, applications, web sites, Internet services} that are known-insecure.”

While that may be true for some people who understand security, it isn’t true for all. Many simply limit what information they make available through those devices and means and follow best practices otherwise. There is plenty of low hanging fruit out there for the malcontents to pick after all.

John Fenderson (profile) says:

Re: So full of fail

“People who actually understand security don’t use smartphones. Or Windows. Or MacOS.”

Simply not true. People who actually understand security know that it’s a terrible, and really common, mistake to think of some platforms as insecure and others as secure.

Security experts treat all systems as insecure and do two things to reduce (you can never eliminate) the risk: adopt proper habits, and know how to use high-quality security software and use it correctly.

The various Unices are easier to secure because of their design, but it is possible (and not really that hard) to harden any other OS to an acceptable degree as well.

Anonymous Coward says:

Rinse, Repeat.

Dateline’s footage showed a sample of a low-speed accident with the fuel tank exploding. In reality, Dateline NBC producers had rigged the truck?s fuel tank with remotely controlled model rocket engines to initiate the explosion. The program did not disclose the fact that the accident was staged.
The General Motors lawsuit and subsequent settlement was arguably the most devastating blow for NBC in a series of reputation damaging incidents during the 1990s and early 2000s.

Anonymous Coward says:

Re: Re: Re: NBC also messed with Zimmerman's 911 phone call

I don’t even have a tv and don’t want one. why would I if it’s just going to be used to try and program and persuade me and tell me what to think and how to think and tell me what tastes good, what’s funny etc…? “TBS, very funny”

jarfil says:

NBC: wrong
Techdirt: sorry, but wrong too

Downloading a virus is not the same as sideloading. Any browser will download files automatically, no matter if they are JPGs, PDFs or viruses. But this act of downloading doesn’t mean the malware will ever get installed or executed.

So it’s correct to say “it is downloading”. You visit a website, and it starts downloading all of itself.

Implying that this means you are infected, is the wrong part.

Anonymous Coward says:

Re: Re:

While it is true that downloading is different than side loading, on Android and many other devices, when a browser downloads a file, it often assumes that the user intends to open the file and looks for an appropriate means of doing so. If the file is a native app that appropriate means is the installation of the app and if the source is not the sanctioned source such as Google Play or Apple’s App Store, then that app’s installation if successful is by definition, side loaded. On Android devices the setting in that they refer to controls apps whether apps are allowed to be side loaded or not and thus would prevent this from happening if set appropriately.

Pat says:


You’re treating this as if it were news?

The American US media’s job hasn’t been to report news in over a decade. Their job is to either entertain or scare people.

Expecting Facts, investigations and or news out of the American media these days is like expecting a TSA agent to laugh at a bomb joke and wave you through…

John Fenderson (profile) says:

Re: Re:

You’re late to the party. Our country’s news services slumped to that point decades ago. It happened due to, and as the inevitable consequence of, CNN discovering that news can be a profit center, and the consolidation of the newspapers into the hands of a few major corporations.

This is why I say there is no mainstream journalism in the US, and hasn’t been for quite a long while. It’s all propaganda and lies. (And, I maintain, this is the real reason that newspapers are dying.)

John85851 (profile) says:

Corporate synergt at work

So NBC Sports pays billions of dollars to exclusively air the Olympics in the US, but the news division is actively scaring people away from the Olympics. Great corporate synergy there!

I don’t remember NBC running these kinds of scare stories during the Beijing Olympics. Is that because Russians are evil hackers and the Chinese aren’t?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...