In 2019, hackers stuffed portable network equipment into a backpack and roamed a Facebook corporate campus to trick people into joining a fake guest Wi-Fi network. That same year, they installed more than 30,000 cryptominers on real Facebook production servers in an attempt to hide even more sinister hacking in all the noise. All of this would have been incredibly alarming had the perpetrators not been Facebook employees themselves, members of the so-called red team charged with spotting vulnerabilities before the bad guys do.
Most big tech companies have a red team, an internal group that plots and plans like real hackers would to help head off potential attacks. But when the world began working remotely, increasingly reliant on platforms like Facebook for all of their interactions, the nature of the threats began to change. Facebook red team manager Nat Hirsch and colleague Vlad Ionescu saw an opportunity, and a need, for their mission to evolve and expand in kind. So they launched a new red team, one that focuses on evaluating hardware and software that Facebook relies on but doesn’t develop itself. They called it Red Team X.
A typical red team focuses on probing their own organization’s systems and products for vulnerabilities, while elite bug-hunting groups like Google’s Project Zero can focus on evaluating anything they think is important no matter who makes it. Red Team X, founded in the spring of 2020 and led by Ionescu, represents a sort of hybrid approach, working independently of Facebook’s original red team to prod third-party products whose weaknesses could impact the social giant’s own security.
“Covid for us was really an opportunity to take a step back and evaluate how we’re all working, how things are going, and what might be next for the red team,” Ionescu says. As the pandemic wore on, the group increasingly got requests to look into products that were outside of its traditional scope. With Red Team X, Facebook has put dedicated resources toward running down those inquiries. “Now engineers come to us and request that we look at things they’re using,” Ionescu says. “And it can be any kind of tech—hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.”
The group now has six hardware and software hackers with broad expertise dedicated to that vetting. It would be easy for them to go down hacking rabbit holes for months at a time prodding every aspect of a given product. So Red Team X designed an intake process that prompts Facebook employees to articulate specific questions they have: “Is data stored on this device strongly encrypted?” say, or “Is this cloud container managing access controls strictly?” Anything to give direction about what vulnerabilities would cause Facebook the biggest headaches.
“I’m a huge nerd about this stuff and people I work with have the same tendencies,” Ionescu says, “so if we don’t have specific questions we’re going to spend six months poking around and that’s not actually that useful.”
On January 13, Red Team X publicly disclosed a vulnerability for the first time, an issue with Cisco’s AnyConnect VPN that has since been patched. It’s releasing two more today. The first is an Amazon Web Services cloud bug that involved the PowerShell module of an AWS service. PowerShell is a Windows management tool that can run commands; the team found that the module would accept PowerShell scripts from users who shouldn’t have been able to make such inputs. The vulnerability would have been difficult to exploit, because an unauthorized script would only actually run after the system rebooted—something users likely wouldn’t have the power to trigger. But the researchers pointed out that it might be possible for any user to request a reboot by filing a support ticket. AWS fixed the flaw.
The other new disclosure consists of two vulnerabilities in a power system controller from industrial control manufacturer Eltek called Smartpack R Controller. The device monitors different power flows and essentially acts as the brains behind an operation. If it’s connected to, say, line voltage from the grid, a generator, and battery backups, it might detect a brownout or blackout and switch system power over to the batteries. Or on a day when the grid is functioning normally, it might notice that the batteries are low and initiate charging them.
Eltek patched both flaws, but the finding underscores the diversity of Red Team X’s projects. A networked power system controller might seem like specialized industrial infrastructure that wouldn’t be directly relevant to a web company like Facebook, but such devices are increasingly common in offices and even residential buildings around the world.
The emergence of Red Team X seems especially well-timed given revelations in December that suspected Russian state-backed actors penetrated the IT management company SolarWinds. They used that position to attack hundreds of other targets in the United States and abroad through tainted updates to the company’s Orion network monitoring tool. Such “supply-chain attacks” that prey on the tech industry’s interconnected ecosystem are difficult to fully defend against and represent one of the security industry’s most intractable challenges.
“The Red Team X mission speaks directly to trying to secure the supply chain for Facebook,” Ionescu says. “Our scope is to look at the security of pretty much anything that would be consequential to Facebook as a company.”
Red Team X stands out not only for the breadth of potential vulnerability it investigates, but its very existence in the first place. Cedric Owens, a longtime corporate red team leader who gave a talk on Wednesday at the security conference GrimmCon about the basics of establishing a corporate red team, emphasizes that it can be difficult for security teams to get the headcount they need.
“Most internal red teams do not have the time, resources, or skill sets to regularly hunt for zero day vulnerabilities,” Owens says. “So having a sister team like Red Team X would be a nice benefit when the normal red team wants to emulate a higher level adversary with zero day vulnerability exploitation capabilities. But usually only the top one percent of companies would have that.”
While the Red Team X model won’t become ubiquitous anytime soon, it’s still important for the corporate one percent to fund these mechanisms. With 2.8 billion users relying on Facebook to protect their data and communications, the company must make every effort to ensure that its own products and those of its vendors are as secure as possible. When Facebook has a security issue, it’s bad for everyone. When Red Team X helps get bugs across the tech spectrum fixed, that potentially makes a lot of other services and platforms safer too.
- 📩 The latest on tech, science, and more: Get our newsletters!
- A genetic curse, a scared mom, and the quest to “fix” embryos
- How to find a vaccine appointment and what to expect
- Can alien smog lead us to extraterrestrial civilizations?
- Netflix’s password-sharing crackdown has a silver lining
- Help! I’m drowning in admin and can’t get my actual job done
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones