Sochi hack report 'fraudulent,' security researcher charges

NBC News report that attendees at the Winter Olympics were being hacked immediately is "wrong in every respect," Errata Security's Robert Graham says. NBC defends its story.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
2 min read

A report this week that attendees at the Sochi Winter Olympics were being hacked the second they booted up their electronic devices is "100 percent fraudulent," a security researcher charged Thursday.

Robert Graham of Errata Security was criticizing a report by NBC reporter Richard Engel on the safety of logging onto Russian networks. Engel reported that during a security test at cafe with a security expert, "before we even finished our coffee" the bad actors had hit, downloading malware and "stealing my information and giving hackers the option to tap or even record my phone calls."

Engel went on to report that once two test computers went online, it took "less than 1 minute [for hackers] to pounce, and in less than 24 hours, they had broken into both of my computers."

However, Graham called the NBC report "wrong in every respect," writing in a blog post Thursday that the technical details of the Engel's report reflect the dangers of visiting the Olympics in cyberspace -- not in person.

"I had expected the story to be about the situation with WiFi in Sochi, such as man-in-the-middle attacks inserting the Blackhole toolkit into web pages exploiting the latest Flash 0day," Graham wrote, referring to common cybercrime techniques. "But the story was nothing of the sort."

Noting that the NBC News tests were conducted in Moscow and not the host city of Sochi, Graham said that the hack was the result of visiting malicious Olympic-themed Web sites and was just as likely to have occurred to visitors based in the US. Graham also charged that Engel was responsible for a reported phone hack described in the report, writing that Engel initiated download of a malicious app onto his handset.

"Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely," Graham wrote. "Thus, the claim of the story that you'll get hacked immediately upon turning on your computers is fraudulent."

NBC, for its part, defended its report.

"The claims made on the blog are completely without merit," according to a representative from NBC News.

The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.

Updated at 6:16 a.m. PT February 7 to include a comment from NBC News.