The newsflash from Brian Williams on NBC News was intended to shock: “As tourists and families of athletes arrive in Sochi, if they haven’t been warned, and if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them.”
The three-and-a-half minute segment outlined how exposed visitors to the Olympic Games would be to hackers, bringing in a computer security expert from Trend Micro, Kyle Wilhoit, to show how quickly your electronics could end up owned by hackers. Viewers might not have noticed that the NBC reporter, Richard Engel, was actually reporting from Moscow, the first clue to flaws in the splashy news story that followed (and that triggered wide-ranging discussion, including on Businessweek‘s website).
Wilhoit had created a honeypot—a fake e-mail account, phony contacts—and used a new smartphone and two new computers to browse the Internet. The smartphone had already been hacked, according to Engel, before they had finished their coffee in a café, and it took “less than one minute for hackers to pounce” on the computers. Within 24 hours hackers had broken into both computers and were “helping themselves to my data,” Engel reported.
The problem: that could happen anywhere, basically.
Cyber-security researchers, in Twitter messages and blog posts, soon questioned the accuracy of the reporting. “That NBC story is 100% fraudulent,” read the headline of a post by Robert Graham at Errata Security. Hacks happened because of the websites visited by Engel and Wilhoit, as Graham points out, had nothing to do with the physical location of the devices they used. There is an increased risk from being in Russia because of geolocation—more sketchy Russian websites, for instance, will show up in Internet search results—but that’s something users can turn off. As for the smartphone, it was used to willingly download a hostile Android application. “The only thing that can be confirmed by the story is ‘don’t let Richard Engel borrow your phone,’” Graham writes.
NBC News did not respond to an request for comment this morning. Trend Micro’s press contact has promised to respond later today, and Bloomberg Businessweek will update this post when they do.
Wilhoit declined to comment, though spent yesterday evening in a flurry of Twitter conversations, posting at one point: “Unfortunately, the editing got the best of the story. Cut a lot of the technical/context details out.” This morning, he promised that a white paper, with the technical details of the experiment, was “still in the works all, just taking some time to get through all the red tape.”
