Sochi hack report 'fraudulent,' security researcher charges
NBC News report that attendees at the Winter Olympics were being hacked immediately is "wrong in every respect," Errata Security's Robert Graham says. NBC defends its story.
A report this week that attendees at the Sochi Winter Olympics were being hacked the second they booted up their electronic devices is "100 percent fraudulent," a security researcher charged Thursday.
Robert Graham of Errata Security was criticizing a report by NBC reporter Richard Engel on the safety of logging onto Russian networks.that during a security test at cafe with a security expert, "before we even finished our coffee" the bad actors had hit, downloading malware and "stealing my information and giving hackers the option to tap or even record my phone calls."
Engel went on to report that once two test computers went online, it took "less than 1 minute [for hackers] to pounce, and in less than 24 hours, they had broken into both of my computers."
However, Graham called the NBC report "wrong in every respect," writing in a blog post Thursday that the technical details of the Engel's report reflect the dangers of visiting the Olympics in cyberspace -- not in person.
"I had expected the story to be about the situation with WiFi in Sochi, such as man-in-the-middle attacks inserting the Blackhole toolkit into web pages exploiting the latest Flash 0day," Graham wrote, referring to common cybercrime techniques. "But the story was nothing of the sort."
Noting that the NBC News tests were conducted in Moscow and not the host city of Sochi, Graham said that the hack was the result of visiting malicious Olympic-themed Web sites and was just as likely to have occurred to visitors based in the US. Graham also charged that Engel was responsible for a reported phone hack described in the report, writing that Engel initiated download of a malicious app onto his handset.
"Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely," Graham wrote. "Thus, the claim of the story that you'll get hacked immediately upon turning on your computers is fraudulent."
NBC, for its part, defended its report.
"The claims made on the blog are completely without merit," according to a representative from NBC News.
The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.
Updated at 6:16 a.m. PT February 7 to include a comment from NBC News.