Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response
from the because-'being-careless-will-get-you-hacked'-isn't-headline-material dept
Earlier this week, NBC "reported" that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel's cellphone and laptop being compromised "before he even finished his coffee."
All very scary but all completely false.
Errata Security points out that the entire situation was fabricated.
The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn't have disabled the default locks on their phone, as Robert Graham at Errata Security points out.
They aren't in Sochi, but in Moscow, 1007 miles away.
The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update].
The truth makes for a much less interesting story, however, and as Graham points out, Engel's use of the passive voice ("the phone was hacked" rather than "I downloaded a virus") deliberately obscures what's actually happening on the video. It's not Sochi's wireless connections that are "infected," it's the sites themselves. No one's getting hacked instantly unless they're going out of their way to act carelessly in a potentially hostile environment. Following normal internet safety procedures should keep journalists and Olympic fans protected -- preventative measures that NBC could have chosen to deliver with its report, except that they would undercut the narrative it was crafting. There is no doubt that the influx of out-of-town visitors presents an enticing target for aspiring hackers, but there's no reason to believe any device will be insta-compromised the moment it connects to the internet.
NBC, for its part, seems to think the only way to wipe this egg of its face is to apply more egg, as c|net reports:
"The claims made on the blog are completely without merit," according to a representative from NBC News.But NBC's story carried this headline:
The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.
Hacked Within Minutes: Sochi Visitors Face Internet MinefieldEven with the appended disclaimers, the report was obviously intended to present Sochi as a hackers' paradise where anyone -- even those not stupid enough to visit rogue websites or purposefully sideload sketchy apps -- can be compromised before their coffee cools. And the phrasing used by the reporters is equally as misleading. The following quotes are taken from the transcript (which, to NBC's credit, opens up with "Welcome to Moscow").
>> reporter: good evening, brian. the state department warns the travelers should have no expectation of privacy. even in their hotel rooms. you are immediately exposed as soon as you try to communicate with anything. one of the first thing visitors to russia will do is log on. hackers here will count on it. we decided to find out how dangerous that could be.This would be the malware consciously downloaded by the reporter. Note that it's stated that the phone is downloading the malware on its own, rather than with any assistance by the journalists.
>> reporter: with our new computers loaded with attractive data, we headed for a restaurant, where we used a new smart phone to browse for information about the sochi olympics. almost immediately we were hacked.
>> did you see where it said downloading?
>> i did.
>> it's actually downloading a piece of malware.
>> malicious software hijacked our phone before i even started my coffee.
>> back at the hotel will hoyt was using specialized software to monitor my two computers. and sure enough, they had also been hacked.No mention of visiting unknown sites. The assumption is that hackers accessed the computers on their own, rather than having a door propped open by Engel's visit to malicious sites, most likely sites that any decent browser/search engine would have warned might be an unsafe place to visit.
>> it had taken hackers less than one minute to pounce. within 24 hours they had broken into both computers and started helping themselves to my data."Pounce?" On what, the Welcome mat the journalists laid out? God helps those who help themselves to data, but the devil's editor visits compromised sites in search of a good story.
>> reporter: american athletes and fans now coming to russia by the thousands are entering a minefield. the instant they log on to the internet."The instant they log on…" Obviously false. Pre-priming your devices for failure will "allow" you to be hacked before your coffee cools, but following some very basic security measures will keep devices safer. Sure, there's likely a higher concentration of hacking activity in Sochi with so many potential targets in the area, but that's no excuse to promote fear over facts and for journalists to intentionally sabotage their own equipment just to ensure the eyeball-grabbing headline actually fits the content. It's not just bad journalism, it's also irresponsible. NBC could have used this time to outline the same basic safety precautions Graham does in its blog post, but was obviously more interested in reinforcing its viewers' perception that Russia is the Internet Wild West, where even the safest surfer will be hacked to unrecognizability by malicious electro-bandits at the faintest whiff of a wi-fi signal.
>> the best way to protect yourself is quite simple, if you don't really need a device, don't bring it. try to avoid the public wifi. and if there's anything particularly and uniquely important on your computer or phone, banking information or photographs, remove it before coming to russia.