In 2019, hackers tucked portable networking equipment into a backpack and roamed Facebook’s corporate campus to trick people into joining a fake guest Wi-Fi network. That same year, they installed more than 30,000 cryptocurrencies on Facebook’s actual production servers in an attempt to hide even more sinister hackers amid the noise. All of this would have been incredibly alarming if the perpetrators were not Facebook employees themselves, members of the so-called red team in charge of detecting vulnerabilities before the bad guys do it.
Most large technology companies have a red team, an internal group that plots and plans how real hackers would do to help prevent potential attacks. But when the world began to work remotely, increasingly dependent on platforms like Facebook for all its interactions, the nature of the threats began to change. Red Facebook team manager Nat Hirsch and colleague Vlad Ionescu saw an opportunity and a need for their mission to evolve and expand in kind. So they launched a new red team, which focuses on evaluating the hardware and software on which Facebook depends, but does not develop on its own. They called him Red Team X.
A typical red team focuses on probing their own organization’s systems and products for vulnerabilities, while elite bug-hunting groups like Google’s Project Zero can focus on evaluating anything they consider important, regardless of who does it. Red Team X, founded in the spring of 2020 and led by Ionescu, represents a kind of hybrid approach, working independently of Facebook’s original red team to produce third-party products whose weaknesses can impact the social giant’s own security.
“Covid for us was really an opportunity to take a step back and assess how we are all working, how things are going and what could be next for the red team,” said Ionescu. As the pandemic progressed, the group increasingly received requests to research products that were outside its traditional scope. With Red Team X, Facebook has put dedicated resources to eliminate these queries. “Now the engineers come to us and ask us to see the things they are using,” says Ionescu. “And it can be any type of technology – hardware, software, low-level firmware, cloud services, consumer devices, networking tools and even industrial control.”
The group now has six hardware and software hackers with extensive experience dedicated to this verification. It would be easy for them to dig rabbit holes for months on end, poking every aspect of a particular product. Therefore, Red Team X designed an admission process that asks Facebook employees to articulate specific questions they have: “Is the data stored on this device heavily encrypted?” say, or “Is this cloud container managing access controls strictly?” Anything to give a direction as to which vulnerabilities would cause Facebook the biggest headaches.
“I’m a big nerd about these things and the people I work with have the same tendencies,” says Ionescu, “so if we don’t have specific questions, we’re going to spend six months eavesdropping and that’s not really useful. “
On January 13, Red Team X publicly disclosed a vulnerability for the first time, an issue with Cisco’s AnyConnect VPN that has now been fixed. He’s launching two more today. The first is a bug in the Amazon Web Services cloud that involved the PowerShell module of an AWS service. PowerShell is a Windows management tool that can execute commands; the team found that the module would accept PowerShell scripts from users who should not be able to make such entries. The vulnerability would have been difficult to exploit, because an unauthorized script would only be executed after a system reboot – something that users probably would not have the power to trigger. But the researchers pointed out that it may be possible for any user to request a restart by filling out a support ticket. AWS corrected the failure.
The other new release consists of two vulnerabilities in a power system controller from industrial control manufacturer Eltek called Smartpack R Controller. The device monitors different energy flows and essentially acts as the brain behind an operation. If it is connected to, say, mains line voltage, a generator and battery backups, it can detect a power outage or blackout and transfer power from the system to the batteries. Or on a day when the network is functioning normally, he may notice that the batteries are running low and start charging.