The security expert from NBC's hugely misleading Sochi hack story explains what really happened
During an edition of NBC's Nightly News last week, Richard Engel starred in a segment called "Russian Roulette" about the dangers posed to Sochi visitors by malicious hackers (Pando embedded the video along with a short write-up). Brian Williams introduces the piece by warning that when visitors "fire up their phones at baggage claim it's probably too late to save the integrity of their electronics and everything inside them." He adds that it's not a matter of if you'll be hacked, but when.
That all sounds very horrifying and surprising and probably makes you want to watch the segment. The only problem? It's not true and is supported only by misleading editing and a panic-inducing voice-over from Engel. After the segment aired it led to blowback from computer security pros.
The first indications that NBC's fears were overstated came when security expert Robert Graham blogged that the steps for protecting your devices from hackers in Russia or anywhere else are in fact quite straightforward. Now, we have a far more damning report from the security researcher who led Engel on his Russian hackventure, Trend Micro's Kyle Wilhoit. Wilhoit has released a white paper on exactly what transpired when Engel got hacked, and the truth is far from the illusion created by NBC.
The segment made it appear that a device could be hacked by merely turning it on, connecting it to the Internet, and surfing the web, which Wilhoit chalked up to "the editing process on TV (which did not show the user interaction)..." But in all three of the hacking incidents, Engel initiated a suspicious download or the opening of a suspicious file himself. When his Samsung Galaxy S4 was hacked at the coffee shop, the segment shows Engel sit down, surf the net, and then seemingly out-of-nowhere a piece of malware is downloaded to his device.
Here's what really happened, according to Wilhoit:
We visited a Sochi-Olympic-themed site and were redirected to another, which prompted us to download an app (avito.apk) that seemed to have relevant travel information. After downloading the .APK file (MD5: 6d6cb42286c3c19f642a087c9a545943), we were prompted to install it. We clicked 'Accept' because we believe that’s what typical users would do.Would a "typical user" really download an app from a site they'd never seen before in a foreign country? Maybe. But the segment is so caught up in creating unwarranted panic, that it misses an opportunity to be helpful by advising against downloading files from foreign sites.
The segment also depicted the PC and Macbook hacks as largely passive, occurring after the machines were left connected to the Internet over 24 hours. But that's also misleading. The PC was hacked the same way devices are hacked in the United States every day -- through a phishing email. Wilhoit explains:
Clicking the link embedded in the email leads to the download of a Microsoft Word® document named Olympics.doc (MD5: 09326cec312ff356dde41d2e007fd009). Opening the document sends a simple beacon to whatsappload.ru. Within a minute, the piece of malware opened a back door connected to the same site via port 443. This allowed the attacker to gain access to the infected machine. He can even perform several malicious tasks such as stealing banking information or exfiltrating important documents.That's a serious hack! But also one that could be easily avoided by not clicking on links or downloading files through emails from people you don't know.
Finally, Engel's Mac was hacked because he clicked the link at this trustworthy-looking site:
NBC has already responded to earlier claims that the segment was "fraudulent," saying it was "merely designed to show how easily a non-expert could fall victim to a hack." And with the exception of Williams' over-the-top intro, the piece doesn't so much make up facts as much as omit key sections of the narrative to induce the maximum amount of panic.
As Wilhoit concluded: "Attacks occur worldwide in many countries. Of course, some do originate from Russia. Attacks can occur while you are sitting in a coffee shop in Berlin, Tokyo, or Philadelphia, but in this case Richard was sitting in a Russian cafe so his Google search returned several local results. The combination of default security settings, unpatched software, and risky behavior... was the reason the devices he used got infected."
Not as juicy as the NBC News segment, of course, but accurate.