A video warning all Sochi Olympic visitors that their electronics will be immediately hacked as soon as they turn them on has been circulating widely. The video is below.
There is a lot to digest here. First, there’s the alarming open:
As tourists and families of athletes arrive in Sochi, if they haven’t been warned, and if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them.
Yikes. Can this possibly be true? At first blush, this sounds like an incredible overreaction. This report was filed by NBC’s Brian Williams and Richard Engel, not some novice journalist. There’s background assist from Kyle Wilhoit, a Senior Threat Researcher at Trend Micro.
Jump to about 1:13 in the video to watch Engel open a brand new MacBook Air. Made me want to cry. Doesn’t give me a lot of hope that these two know what they are doing. But I digress.
The team went to a local wifi hotspot and fired up a smart phone. Immediately, they see a downloading message. Clearly an Android phone. Wilhoit concludes that they are being hacked, that malware is being installed on the phone. Wilhoit does not say how he knows this, just that it’s malware. I’d like to know more. Could it be an update? Perhaps a file the phone needs to deal with an unknown carrier?
Next, the team heads back to the hotel, where they had left two brand new computers up and running. One of them was a brand new MacBook Air (with a horribly mangled box). As the video says, the hackers came sniffing around within minutes and within 24 hours, the hackers had taken over both computers.
Again, I’d really like to know more. Did they leave both computers in their default state? Did they enable any firewall or take any steps to protect the computers? Were the computers purposely made easy to penetrate?
You can read about Wilhoit’s techniques here (thanks to Steve Hayman for the link). While interesting, much of the background is missing. He promises more tomorrow.
If I was traveling to Sochi, I would heed the advice in this video and leave any important data at home. Assume that the contents of your smart phone and computer will be copied while you are there and only take what you can afford to have taken.
I look forward to learning more about this scenario.
UPDATE: Follow this link for a far less edited version of the video. They were purposely careless. The phone is a Samsung Android phone. They followed a URL that led to an apk file and knowingly downloaded the unknown application. True, many people would do that, but anyone with even a slight bit of tech savvy would know not to do that.
Next, they purposely opened an unknown email attachment on their computer. Yeesh. I call BS on the whole report. Disappointed in NBC.