The news flash from Brian Williams on NBC News was intended to shock: “As tourists and families of athletes arrive in Sochi, if they haven’t been warned, and if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them.”
The three-and-a-half-minute segment outlined how exposed visitors to the Olympic Games would be to hackers, bringing in a computer security expert from Trend Micro, Kyle Wilhoit, to show how quickly your electronics could end up owned by hackers. Viewers might not have noticed that the NBC reporter, Richard Engel, was actually reporting from Moscow, the first clue to flaws in the splashy news story that followed (and that triggered wide-ranging discussion, including on Businessweek’s website).
Wilhoit had created a honeypot—a fake e-mail account, phony contacts—and used a new smartphone and two new computers to browse the Internet. The smartphone had already been hacked, according to Engel, before they had finished their coffee in a café, and it took “less than one minute for hackers to pounce” on the computers. Within 24 hours, hackers had broken into both computers and were “helping themselves to my data,” Engel reported.
The problem: That could happen anywhere, basically.
Cybersecurity researchers, in Twitter messages and blog posts, soon questioned the accuracy of the reporting. “That NBC story is 100% fraudulent,” read the headline of a post by Robert Graham at Errata Security. Hacks happened because of the websites visited by Engel and Wilhoit, as Graham points out, and had nothing to do with the physical location of the devices they used. There is an increased risk from being in Russia because of geolocation—more sketchy Russian websites, for instance, will show up in Internet search results—but that’s something users can turn off. As for the smartphone, it was used willingly to download a hostile Android application. “The only thing that can be confirmed by the story is ‘don’t let Richard Engel borrow your phone,’” Graham writes.
NBC News did not respond to a request for comment this morning. Trend Micro’s press contact has promised to respond later today, and Bloomberg Businessweek will update this post when someone does. (See update below)
Wilhoit declined to comment, though he spent yesterday evening in a flurry of Twitter conversations, posting at one point: “Unfortunately, the editing got the best of the story. Cut a lot of the technical/context details out.” This morning, he promised that a white paper, with the technical details of the experiment, was “still in the works all, just taking some time to get through all the red tape.”
UPDATE at 1:15 p.m.: A NBC spokesperson called the criticisms “completely without merit.” She said the location was clearly set in Moscow, that “a user is more likely to be targeted by hackers while conducting search in Russia,” and that the report “was designed to show how a non-expert can easily fall victim to a cyber attack.” She pointed to an online video with more technical details.
In a statement, JD Sherry, vice president of technology and solutions at Trend Micro, said that “the reports are genuine in their intent to raise the level of awareness around the risks visitors to Sochi and all Internet users face.” He said most of NBC’s viewers are “not highly trained and seasoned security professionals,” and that the piece “was actually condensed from over 72 hours of activity and simulation to stage a realistic user scenario for visitors to the games.” He suggested users keep their machines up to date, add additional security controls, trust their instincts when it comes to suspicious emails, and to use trusted sites.