Russia is sometimes portrayed as a haven for hackers. So with tens of thousands of people descending on Sochi for the Olympic Games, NBC reporter Richard Engel set out to prove just how scary Russia is when it comes to IT security.
In a frightening segment shown on NBC News, Engel described how quickly Russian hackers were able to work their way into a brand-new Mac, PC and Android phone that he had brought with him from the United States.
"Malicious software hijacked our phone," Engel marvels, "before we even finished our coffee."
Engel's initial report makes it sound like he did the online equivalent of leaving his bag unattended at the airport. What really happened shows that while yes, the Russian Internet can be a dangerous place, it's likely no more dangerous than the American Internet if you take the same precautions you would anywhere else.
Critics jumped on the report, with some going so far as to call it fraudulent.
"Most everything they describe in the story is as equally true at your local Starbucks as it is in Sochi," wrote Gartner analyst Paul Proctor in a blog post.
But you don't have to take the skeptics at their word. NBC's own in-depth explainer on Engel's experiment tells you how flawed the project was.
Engel's first encounter with malware begins when he takes his new Android phone out for a spin. Then the security researcher he's working with, an American named Kyle, tells him that his browser is about to download what's called an APK file. APK files are digital packages that contain apps or other software that, when opened by the user, installs itself on the phone. By default, Android makes it impossible to install APKs that don't come from a designated app store; you have to disable a security lock if you really want to install third-party APKs.
So Engel's actions tell us a few things right off the bat: The APK security lock is disabled. He used his browser to download the APK, which means he had to manually seek out the dangerous site hosting the APK. And third, after he downloaded the APK, he had to open it himself.
By taking these steps, Engel wasn't the passive victim of a hack. He was simply behaving unsafely on the Internet. The same goes for what happens with the new laptops he brought to Russia. Within moments of setting up his e-mail account, Engel got hit by a phishing scam. As anyone who's ever received a plea from a Nigerian prince knows, you don't have to be in Russia (or even behaving unsafely) to get those e-mails. There's nothing particularly ominous about receiving a phishing e-mail in an inbox half a world away.
"While journalists are frequently targeted by surveillance, in this case, the journalists in question appear to have spent some time prowling the digital badlands looking for trouble," said Morgan Marquis-Boire, a researcher at the University of Toronto. "There's a big difference between being compromised as soon as you connect to a network and going looking for malware."
In another example of risky behavior, Engel clicked on the attachment in the e-mail without verifying the sender's identity. Unless you're trying to prove the dangers of phishing e-mails, nothing about this behavior incriminates Russia in particular.
This doesn't mean that there aren't other ways to get hacked. Trading your credentials over an untrusted WiFi network is a good way to get spied on, for instance. Nor does this invalidate the suggestions that Engel raises at the end of his segment: Don't click on unfamiliar links, and make sure your machines are up-to-date. But these are suggestions that apply no matter whether you're in Sochi or San Diego.
"The problem is, anytime you have a TV report, you don't have the details," said Allan Friedman, a cybersecurity scholar at George Washington University.