In 2019, hackers he put laptop networking equipment in his backpack and toured a corporate Facebook campus to trick people into joining a fake guest Wi-Fi network. That same year, they installed more than 30,000 cryptocurrencies on real Facebook production servers to try to hide even more sinister piracy in all the noise. All of this would have been incredibly alarming if the perpetrators had not been the same Facebook employees, members of the so-called red team accused of detecting vulnerabilities before the bad guys did.
Most large tech companies have a red team, an internal group that plots and plans like real hackers to help fight possible attacks. But as the world began to work remotely, increasingly relying on platforms like Facebook for all its interactions, the nature of the threats began to change. Facebook red team director Nat Hirsch and teammate Vlad Ionescu saw the opportunity and need for their mission to evolve and expand into species. So they launched a new red team, focused on evaluating hardware and software that Facebook trusts, but that doesn’t develop on its own. They called it Red Team X.
A typical red team focuses on examining their own organization’s systems and products for vulnerabilities, while elite bug-seeking groups like Google’s Project Zero can focus on evaluating anything they consider important, regardless of who do it. Red Team X, founded in the spring of 2020 and led by Ionescu, represents a kind of hybrid approach, working independently of Facebook’s original red team to produce third-party products whose weaknesses may affect the security of the social giant .
“Covid for us was really an opportunity to take a step back and assess how we’re all working, how things are going and what could be next for the red team,” Ionescu says. As the pandemic continued, the group received more and more requests to examine products that were outside its traditional scope. With Red Team X, Facebook has dedicated resources dedicated to stopping these queries. “Now engineers come to us and ask us to examine the things they use,” Ionescu says. “And it can be any kind of technology: hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.”
The group now has six hardware and software hackers with extensive experience dedicated to this control. It would be easy for them to go down by cutting rabbit holes for months at a time, producing all aspects of a given product. So Red Team X designed an admissions process that encourages Facebook employees to articulate specific questions that have, “Is the data stored on this device heavily encrypted?” say or “Does this cloud container strictly manage access controls?” Anything that gives clues as to what vulnerabilities would cause Facebook the biggest headaches.
“I’m a huge nerd about these things and the people I work with have the same tendencies,” Ionescu says, “so if we don’t have specific questions we’ll spend six months looking for it and that’s not so helpful.”
On January 13, Red Team X publicly disclosed a vulnerability for the first time, a problem with Cisco’s AnyConnect VPN that has since been fixed. Two more come out today. The first is an error in the Amazon Web Services cloud that involved the PowerShell module of an AWS service. PowerShell is a Windows management tool that can execute commands; the team found that the module would accept PowerShell scripts from users who should not have been able to make these entries. The vulnerability would have been difficult to exploit, because an unauthorized script would only run after the system reboot, which users probably could not activate. But the researchers noted that it may be possible for any user to request a reboot by presenting an assistance ticket. AWS fixed the defect.
The other new disclosure consists of two vulnerabilities in a power systems controller from industrial control manufacturer Eltek called Smartpack R Controller. The device controls different power flows and essentially acts as the brain behind an operation. If it is connected to, for example, mains line voltage, a generator, and the battery backs up, it may detect a shutdown or shutdown and switch the system power to the batteries. Or on a day when the network is working properly, you may notice that the batteries are low and start charging.