Earlier this week, NBC News broadcast a sensational report about the dangers of taking computers to the Sochi Olympics in Russia.
In the report, NBC’s Richard Engel was joined by Trend Micro expert Kyle Wilhoit to demonstrate the online dangers to which tourists and athletes could be exposed.
(By the way, isn’t the way that Richard Engel opens the MacBook Air box the craziest thing you’ve ever seen in your life?)
Here’s a quote from the introduction to the TV news report:
As tourists and family of athletes arrive in Sochi, if they haven’t been warned, and if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them.
Visitors to Russia can expect to be hacked. And, as Richard Engel found out upon his arrival there, it’s not a question of “if” but “when”.
As you can see in the video above, the report then goes on to show what happened when Engel and Trend Micro’s Wilhoit connected an Apple MacBook Air, an Android phone, and a Lenovo laptop running Windows 7 to the internet in Russia.
However, as security blogger Robert Graham succinctly points out the report is largely bunk, and badly misrepresents the facts.
Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely. Thus, the claim of the story that you’ll get hacked immediately upon turning on your computers is fraudulent. The only thing that can be confirmed by the story is “don’t let Richard Engel borrow your phone”.
The truth was that “hacks” had nothing to do with being in Sochi, Moscow, or any other part of Russia. The hacks would have worked just as well from any other part of the world, as they were dependent on visiting malicious Sochi-related websites rather than the user’s physical location.
It needn’t have been websites related to the Sochi Olympics that they searched for at all. It could just have easily been Justin Bieber, or the Super Bowl.
Wilholt tweeted confirming the fact that location was irrelevant.
“In this case, he would have been hit in Russia; just the same way he would if in Philadelphia.”
And, despite appearances, this wasn’t a case of just buying a new computer or smartphone and connecting to a WiFi network, start surfing the net, and waiting to see what happened next.
Wilholt confirmed on Twitter that the attacks did not involve any zero-day exploits, that the malicious Android download happened when they visited a malicious Russian Sochi-related website, and required reporter Richard Engel to click “Yes” to install the .apk.
Wilholt says that he is preparing a technical white paper explaining exactly what happened in the preparation and filming for the report, but that it’s currently being approved by Trend Micro’s legal department.
I’ve been involved in many many TV investigations into malware and cybercrime over the years, and am all too acutely aware of how the media will dumb down or sometimes even deliberately misrepresent the facts in order to have a sexier story.
It’s very easy to find yourself manipulated by pushy journalists into saying something that can be edited into a report out of context, and over time you learn a sixth sense as to when the folks making the media report are more interested in sensationalism rather than truly educating and informing the audience.
Of course, it’s necessary to make news reports about IT issues interesting to watch – and we all lose if we can’t make the importance of computer security relevant to the general public audience.
Wilholt himself confirmed the challenge of producing a technically accurate vs interesting television news report about hackers and cybercrime:
@MLGTeemo Agreed.Keep in mind the target audience of the piece wasn't technical.While I agree some FUD, TV's goal is to make it interesting.
— Kyle Wilhoit (@lowcalspam) February 5, 2014
But, in my view, this NBC News report went too far in deliberately misleading its audience.
The wisest thing for the anti-virus firm featured in the report would have been to walk away and decline the opportunity, even though it would mean that they wouldn’t have got some much-desired exposure on national TV.
I don’t believe it’s likely that Kyle Wilhoit will be 100% happy with how NBC reported the story, and no doubt he’ll be much more cautious next time Trend Micro’s PR team ask him to get in front of the cameras.
If you are going to Russia for the Sochi Olympics you should take precautions to keep your computer equipment safe. But you should take those precautions every day, regardless of where you are in the world.
- Keep your computer and phones updated with the latest patches, and anti-virus software.
- If you don’t need it, turn it off or remove it entirely from your computer. (yes, I’m thinking of Java primarily, but the more programs and technology you have running on your computer, the greater the chance that one of them will have a vulnerability that could be exploited).
- Don’t open unsolicited attachments or blindly click on links without thinking about where you might be going.
- If you’re going to use public WiFi, make sure that you’re using a VPN to hide your online activity from snoopers.
This follows other trends by NBC and other media to boost attention on the Olympics. For weeks prior to the games we heard about terror threats. I asked many of my friends who live in countries outside the U.S. f they had been getting the same news regarding the dangers of going to Sochi. Everyone I talked to had heard something from our news sources but none of the athletes in other countries were telling their parents to stay home. Even friends close to the Sochi regioin said their concern was troubles in the Ukraine and not the North Caucasus Islamist group or Caucasus Emirate.