In 2019, hackers portable network equipment stuffed into a backpack and roamed a Facebook corporate campus to trick people into joining a fake Wi-Fi network. In the same year, they installed more than 30,000 cryptocurrencies on real Facebook production servers in an attempt to hide even more sinister hacking in all the noise. All of this would have been incredibly worrying if the perpetrators had not been Facebook employees themselves, members of the so-called red team charged with detecting vulnerabilities before the bad guys did.
Most large technology companies have a red team, an internal group that plans and plans like real hackers to help prevent potential attacks. But as the world began to work remotely and increasingly relied on platforms like Facebook for all their interactions, the nature of the threats began to change. The manager of Facebook, the red team, Nat Hirsch and colleague Vlad Ionescu saw an opportunity and a need for it to develop their mission and expand in kind. Therefore, they have launched a new red team that focuses on evaluating hardware and software that Facebook relies on but does not develop itself. They called it Red Team X.
A typical red team focuses on researching their own organization’s systems and products for vulnerability, while elite hunting groups like Google’s Project Zero can focus on evaluating everything they consider important, no matter who makes it. Red Team X, founded in the spring of 2020 and led by Ionescu, represents a kind of hybrid approach, working independently of Facebook’s original red team to produce third-party products whose vulnerabilities could affect the social giant’s own safety.
“Covid for us was really an opportunity to take a step back and evaluate how we all work, how it’s going and what could be next for the red team,” said Ionescu. As the pandemic continues, the group has increasingly received requests to look at products that were outside the traditional range. With Red Team X, Facebook utilized dedicated resources to ward off queries. “Now engineers are coming to us and asking us to look at things they use,” Ionescu says. “And it can be any kind of technology – hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.”
The group now has six hardware and software hackers with a wide range of expertise dedicated to it. It would be easy for them to cut a rabbit hole for months and encourage every aspect of a given product. So Red Team X designed an intake process that asks Facebook employees to articulate specific questions they have: “Is the data stored on this device strongly encrypted?” says, or “Do these cloud containers have strict access controls?” Anything that gives direction on what vulnerabilities Facebook can cause the biggest headaches.
‘I’m a big nerd about these things and people I work with have the same tendencies,’ says Ionescu, ‘so if we do not have specific questions, we’ll spend six months on it and it’s actually not that useful. . ”
On January 13, Red Team X first announced a vulnerability in public, a problem with Cisco’s AnyConnect VPN that has since been patched. It releases two more today. The first is an Amazon Web Services cloud bug that was involved in the PowerShell module of an AWS service. PowerShell is a Windows management tool that can execute commands; the team found that the module would accept PowerShell scripts from users who could not provide such input. The vulnerability would be difficult to exploit, as an unauthorized script would only work after the system had restarted – something users would probably not be able to activate. But the researchers pointed out that it is possible for any user to request a reload by submitting a support card. AWS corrected the error.
The other new disclosure consists of two vulnerabilities in a power system controller from industrial control manufacturer Eltek called Smartpack R Controller. The device monitors different power currents and essentially acts as the brain behind an operation. If it is connected to, for example, mains voltage from the mains, a generator and battery backup, it can detect an eclipse or eclipse and switch the system’s power to the batteries. Or on a day when the grid is functioning normally, it may notice that the batteries are empty and it starts charging.