NBC News and the bullshit 'ZOMG Sochi Olympics Android hack' story

Your Android smartphone only installs malware if you're being dumb (or do it on purpose) — not automatically, and not just because you're in Russia.

This is just ridiculous, even for American "news" television. A report from NBC News was exposed — and rightfully so — by Errata Security (via Techmeme) for being so misleading that, frankly, we almost don't know where to begin.

The short version: NBC News says you'll be hacked the moment you try to connect in Russia. And it tries to show that with two examples: New laptops, fresh out of the box, and an Android smartphone — which we'll focus on here. 

In the piece, NBC's Richard Engel sits down with "top American security expert" Kyle Wilhoit — he works for Trend Micro, actually — and we see an Android smartphone downloading and installing malware. Oops. Hacked. Only, not really.

As Errata properly points out (and Wilhoit explains on Twitter as well, actually), this is all about visiting malicious sites, and not about actually being in Russia.

The story was fraudulent. It was about going to the Olympics in cyberspace (visiting websites), not going to their in person and using their local WiFi. — Errata Security

"Malicious software hijacked our phone — before we even finished our coffee."

What's more is that Android has safeguards built in by default. While it certainly is possible to hit a link and see a malicious app start downloading, it won't actually install without some other interaction. And one of the first checkpoints is the "Unknown sources" option. If your phone isn't set to install apps from outside Google Play — in other words, "unknown sources," it'll tell you. And in just about every retail phone we can think of, that option is turn on by default. Those are but two layers of security. There are others.

As anyone who's ever sideloaded an app (or watched TV) can see, there's been a little editing here. You don't see the permissions the malicious app declared. You don't see any of what actually happened — a point Wilhoit, who his credit, mentions on Twitter. As well as the fact that they weren't actually in Sochi — they were in Moscow. Not that it mattered. NBC was going to get the story it wanted.

And for what it's worth, you could plug your phone straight into a hacked computer and still have at least two other checkpoints to pass — USB debugging and the RSA key security mechanism that both must be allowed for something to be installed that way.

Hacking can and will always happen. There will always be exploits. We all need to be aware of the links we're clicking on, and the apps that we're downloading and installing.

And we need to not listen to NBC News when it tries to scare the hell out of folks just to tell a story.

Phil Nickinson