ioXt Alliance Member Snapshot: IBM X-Force Red Charles Henderson

Q:  What is X-Force Red? 

X-Force® Red is IBM Security’s team of hackers. Organizations hire us to uncover risky vulnerabilities within their networks, applications, hardware, devices and personnel that criminal attackers may use for personal gain. X-Force Red offers penetration testing, adversary simulation and vulnerability management programs to help security leaders identify and remediate security flaws covering their entire digital and physical ecosystem.

X-Force Red can do whatever criminal hackers can do, but with the goal of helping security leaders harden their defenses and protect their most important assets.

We have 200+ hackers worldwide, many of whom have discovered zero-day vulnerabilities, built first-of-their-kind attack tools, presented at the top cybersecurity conferences, provided thought leadership for high profile media outlets, testified before Congress, and have been hacking since they were children. Our mission statement sums it up best – “Our mission: hacking anything to secure everything.”

Q:  What do you do for IBM?

As the Global Managing Partner and Head of X-Force Red, I lead X-Force Red’s strategy for the services we offer and how they complement IBM Security’s portfolio at-large. I also built our team of 200+ hackers from the ground up and am responsible for making sure they have fulfilling careers and continuously provide value to our clients. My days typically consist of being interviewed by news reporters (I provide thought leadership commentary often on all cybersecurity-related topics), presenting to IBM’s leadership and clients, touching base with my team members worldwide, ensuring our client work is running successfully and keynoting conferences. Considering I began my career as a hacker and then evolved into a business leader and spokesperson, I bring a well-rounded perspective to security conversations. 

Q:  Why are you involved with the ioXt Alliance? 

As technology fans and IoT consumers, we are really excited about ioXt. The organization offers a structured approach that can lead to more secure products, which includes those many of us use in our own homes.

Q:  What are the most common vulnerabilities in IoT devices?

Obviously, there are many serious vulnerabilities which are not on the “commonly found” list that are important to consider too. Afterall, just one vulnerability can lead to a serious compromise. When we are, however, talking about common IoT vulnerabilities we find, I would say hard coded or default passwords top the list. Maintaining basic security hygiene is a persistent problem for many manufacturers. Here is a list of other common vulnerabilities we find:

• unlocked programming interfaces allowing firmware extraction

• exposed debugging interfaces allowing information disclosure – i.e. boot process, devices being mounted, interfaces being enabled etc.

• exposed test points giving access to individual chip pins – i.e. for reading GPIO states or flipping them to enable boot loader etc.

• exposed chip to chip communications – i.e. UART for internal modem or SPI/I2C for RF/NFC/BLE config of SoC components.

• exposed shell/login interface - i.e. serial UART console

• inclusion of known vulnerable libraries

• inclusion of known vulnerable/old software such as DHCP, SSH etc.

• inability to easily update firmware

• inclusion of third-party modules with unknown vulnerabilities of their own – i.e., wifi/3g/ble modules

• multi-function devices not disabling unused functions – i.e. memory being used as flash also has SD interface with separate lockdown configuration open by default

• storage of plaintext credentials in easy to read flash chips - i.e. lack of crypto

• "secure" components vulnerable to advanced attacks such as glitching

• insecure network communication (basically, no TLS or improperly implemented TLS)

• insecure firmware update process

• the same weak, default credentials on every device

Q: what is the most impactful hack in your opinion (one that completely changed the landscape) either from this year or in recent years?

The collective vulnerability research that has been presented at the top cybersecurity conferences, such as Black Hat and Def Con, point to serious vulnerabilities in various IoT devices and platforms, many of which have made mainstream news around the world. All of those conference talks show the impact and increasing prevalence of IoT attacks.

Q:  Are there other things you think the industry can improve on? 

We must be more transparent to the end consumer of IoT products about the security of the devices they are purchasing. That is the best way to build consumer trust. We can draw parallels to the safety concerns and assurances consumers may have about other products they buy. Many products come with safety ratings and assurances that confirm the products are safe to use. We need that same level of assurance for security around IoT devices. Consumers should have a declarative attestation that their devices are secure.

Q:  What do you want members to know about you?

I am a business executive, hacker and vulnerability researcher who uses my unique perspective to build valuable security programs for clients. I’ve been in the industry more than two decades leading hacking and vulnerability research teams. I’m interviewed regularly by CNN, Fox Business, NBC and other major television and print media outlets due to my vast hacking experience and ability to translate technical concepts into a language that all audiences – security and non-security – can understand.