Sochi 2014: Privacy and hacking at the Olympic Games
When visitors to Sochi, Russia, turn on their computers or smartphones to send emails or post updates on social media, they face the risk that hackers will break into their devices. But that doesn't necessarily mean they will get hacked.
In a recent report for the NBC News, Richard Engel demonstrated how he was hacked in less than 24 hours in Moscow -- about 1,000 miles from Sochi. Engel, who was accompanied by Trend Micro threat researcher Kyle Wilhoit, set up brand new laptop computers and a smartphone with a fake profiles and data.
Engel says he was hacked while connected to the Wi-Fi at a Moscow coffee shop. It's unclear if the network was protected, requiring a password to sign on. Without password protection, any savvy hacker in the area could have attacked the device.
Was Engel's report misleading?
“They went to a coffee shop, Googled 'Sochi' and downloaded
an APK,” Marc Rogers, principal security researcher at Lookout Inc., told CBS
News over the phone. Rogers did not work with Engel on the hacking story. An “APK” is a file that can be downloaded on Android smartphones.
When downloaded, it asks for permission to gain access to the device. Once an application is
granted permission, it can install malicious software or steal data.
A blog post by Errata Security alleges that Engel's report is "fraudulent" because they downloaded software from a suspicious website and gave it permission to access the phone. "The phone didn't 'get' hacked; Richard Engel initiated the download of a hostile Android app onto his phone," the blog states.
In an exchange with Wilhoit over Twitter, one user said, "APKs list permissions they're asking for. It's like telling a [burglar] to come steal your stuff and then complaining when he does." Wilhoit says they were mimicking normal users, and that these types of attacks are very effective.
Wilhoit was unavailable for comment, but is clarifying some of the technical details on Twitter. He says the report has technical merit, but he could not control how the segment was edited. Wilhoit is planning to publish full details of the report in an upcoming white paper.
"Keep in mind the target audience of the piece wasn't
technical. While I agree some FUD (The term "FUD" is slang for "fear, uncertainty and doubt."), TV's goal is to make it interesting," Wilhoit tweeted.
The story was designed to show how a non-expert can easily fall victim to a cyber attack when they are deceived into downloading a piece of malicious software that is disguised as a friendly message or alert. Just like any regular user, Richard went online, searched sites and was very quickly targeted and received a tailored fake message designed to trick him into downloading the software.
No, everyone will not get hacked
Rogers says that if people use their devices like normal, they likely will not be hacked. Russia has more malware than the United States, but it is possible to stay safe while using computers or smartphones.
“The sky isn’t falling, but it is a high-risk environment,” Rogers says. “They portray the situation as that as soon as you get off the plane, your phone and laptop will get hacked.”
In 2013, there was a 63 percent chance of encountering malicious software in Russia, according to Lookout, compared to about 4 percent in the United States. But Rogers says Russian hackers cast a wide net and are not likely to target specific users. It’s more likely Internet users will be lured by clever tactics or bots.
“Targeted attacks like in China is not Russia’s cup of tea,” Rogers says. He added that the most common types of tricks that will be used during the Winter Olympics are fake news websites or links to what look like official Sochi sites.
“If you go to a coffee shop and search for 'Sochi,' you’ll run into links with malware,” Rogers says. He added that if users only visit websites they know, they are at low risk of getting hacked. Sites like Google, Facebook and Twitter offer hypertext transfer protocol secure (https) connections, which provides authentication that a device is communicating with the correct company.
Rogers says visitors in Russia can protect themselves by using strong anti-virus software and not downloading apps from unknown websites. He also suggests checking a website’s certificate of authenticity, which can be found by clicking on the left icon of a browser’s address bar.
Can the scores be hacked?
Those attending the Olympic Games in Sochi -- athletes, officials, volunteers and reporters -- will have some Wi-Fi protection. A massive network has been built in Sochi from scratch.
“There are five different Wi-Fi networks that we use. Using the examples of the athletes, they’ll have a pre-shared key they all know. They’ll connect to the network, and they’ll get into a separate secure network,” Dean Frohwerk, chief network architect at Avaya, told CBS News.
Avaya Inc., based in Santa Clara, Calif., is the company that has built Sochi’s network, which includes 2,500 Internet access points and Wi-Fi for 11 competition venues, three Olympic Villages, two media centers and celebration centers.
Avaya has to account for protecting data that is critical to the Games. In a statement given to CBS News via email, Avaya says: “Games critical applications -- supporting scoring, results and timing -- are carried over a dedicated network completely separated from any public access.”
“We built up the infrastructure from the bottom up,”
Frohwerk says. Avaya expects this Olympics Games to have heavy traffic because
of fans posting updates, photos and videos on social media sites. But Avaya is
not providing network services to guests or spectators.
A majority of the visitors in Sochi will have to
rely on Russian telecommunications. If they don't have access to protected Wi-Fi, they could be at risk of cyberattacks.
Security experts from Kaspersky Labs gave CBS News a list of safety tips for Sochi visitors, which include: avoid unprotected Wi-Fi networks; use a VPN connection for transactions that involve sensitive data, like online banking; and don’t open suspicious emails or attachments with Olympic-related headers. Sochi visitors should also avoid clicking on links inside of emails.
Big Brother is watching
With all of the cybersecurity precautions at work, visitors should still be mindful that the Russian government monitors all web traffic. The State Department issued this warning to tourists traveling to Sochi for the Olympic Games:
“Travelers should be aware that Russian Federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including Internet browsing, email messages, telephone calls, and fax transmissions.”
Experts agree that Sochi visitors should be cautious and use
common sense. On whether or not everyone in Sochi will get hacked, Rogers says:
“The reality is, you are going to be safe, so long as you don’t deviate from
normal behavior.”