Cyber Risk at the Sochi Winter Olympics

Cyber Risk at the Sochi Winter Olympics
Cyber Risk at the Sochi Winter Olympics

The NBC report went on to quote Engel saying it took the hackers "less than one minute to pounce, and in less than 24 hours, they had broken into both of my computers."

The implication is clear – visitors to the Winter Olympics in Sochi should expect to be hacked. The problem is that security experts are seriously questioning the veracity of the report. It's not the hacking that is doubted, but the way in which it was reported – and Wilhoit himself has said that much was removed in the editing. Wilhoit is working on his own technical paper on the episode. A few hours before this article was written, he tweeted, "I'm working on it!" and "Paper coming with tech details soon."

Meanwhile, experts have been critical. Robert Graham of Errata Security posted a blog titled, That NBC story 100% fraudulent. "The 'hack' happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America." He adds, "The phone didn't 'get' hacked; Richard Engel initiated the download of a hostile Android app onto his phone."

Android Central further points out, "While it certainly is possible to hit a link and see a malicious app start downloading, it won't actually install without some other interaction. And one of the first checkpoints is the 'Unknown sources' option. If your phone isn't set to install apps from outside Google Play — in other words, 'unknown sources,' it'll tell you. And in just about every retail phone we can think of, that option is turn on by default. Those are but two layers of security. There are others."

The reality is, users will get hacked anywhere, anytime, if they do not take adequate precautions. The bigger threat to Sochi visitors will probably come from surveillance from the Russian security service, the FSB. Russian ISPs are required to install a SORM surveillance device that can intercept user's communications. 

ITproportal reports, "Professor Ron Deibert of the University of Toronto, describes the SORM expansion as 'PRISM on steroids', referring to the gathering of metadata by the NSA and the UK's own GCHQ, which was exposed earlier this year by mega-leaker Edward Snowden. The reality is that it is what all intelligence agencies do everywhere (although the FSB has official access to content rather than just metadata). 

"Travelers should be aware," confirms the US State Department, "that Russian Federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including internet browsing, e-mail messages, telephone calls, and fax transmissions."

For this reason Jason Hart, vice president at SafeNet, suggests that travelers should go with a false and prepared cyber persona. "Create a web identity just for the Games and do not link it to your existing day-to-day identities," he advises. "If you need to look at online content, use an internet café, not your personal device. However, make sure that you don’t access any sensitive information such as usual email or bank accounts." Perhaps the most important tip, he adds, is "ensure that the new identity cannot be linked back to your real identity.”

What’s Hot on Infosecurity Magazine?