On February 4, NBC’s Richard Engel issued a shocking report from the Olympics in Sochi, Russia, claiming that all his electronics were “almost immediately hacked” once he got there. However, security experts have called this claim into question, with one cybersecurity expert saying the story is “100 percent fraudulent.”
In his report, “Hacked Within Minutes,” Engel repeated claims that visitors to the Olympics should have “no expectation of privacy” in their electronic communications.
“As tourists and families of athletes arrive in Sochi, if they haven’t been warned and if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them. Visitors to Russia can expect to be hacked, and as Richard Engel found out upon his arrival there it’s not a matter of if, but when,” Brian Williams intoned.
Engel went on to show footage of he and his crew setting up several brand new, unused computers and cell phones and claimed they were “hacked” nearly as soon as they were turned on.
A multitude of security experts and computer users immediately charged that there were major flaws in Engel’s reporting. Not only was “hacked” the wrong terminology to use, but some even noted that Engel had to invite the “hacking” by allowing the hackers to have access to the electronics.
Security expert Robert Graham was one of the first to point out that Engel’s report was misleading. On his blog, Errata Security, Graham said that “absolutely 0% of the story” was based on visitors just turning on their electronic items.
Graham’s key point was to note that the “hacking” Engel was talking about could be found from anywhere in the world by just visiting the websites that contained the malicious spyware programs embedded in them. One didn’t need to actually go to Sochi to be “hacked” in that manner.
As Graham said:
1. They aren’t in Sochi, but in Moscow, 1007 miles away.
2. The “hack” happens because of the websites they visit (Olympic-themed websites), not their physical location. The results would’ve been the same in America.
3. The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
4. …and in order to download the Android app, Engel had to disable a lock that prevents such downloads – something few users do [update].
Much of Engel’s claims were based on the expert he brought along with him for that report, Trend Micro threat researcher Kyle Wilhoit.
The day after the report Wilhoit defended the video saying that the report wasn’t aimed at a “technical” audience.
“Keep in mind the target audience of the piece wasn’t technical. While I agree some FUD, TV’s goal is to make it interesting,” Wilhoit tweeted after the report.
Later Wilhoit promised that he would issue a full, written report to show exactly what he and Engel did to formulate the claims in the report.
However, in a February 7 investigation into the NBC report, CBS refuted much of Engel’s claims, saying that “no, everyone will not get hacked” and insisting that “the sky isn’t falling” for Internet security in Sochi.