IBM Security has announced the release of two new security testing practice areas focused on the Internet of Things (IoT) and automotive security. An elite team of IBM X-Force Red Researchers will deliver the new services. These Researchers focus on testing physical hardware, apps and backend processes employed to control access and management of smart systems.
To offer security services by design to organizations developing IoT solutions for all industries, the new IoT services will be delivered alongside the Watson IoT Platform. The possibility for introducing vulnerabilities into existing systems remains unacceptably high with 58% of organizations testing their IoT applications only during the production phase1. The IBM X-Force Red services bring an additional layer of penetration and security testing while the Watson IoT Platform offers configuration and management of IoT environments.
With the addition of Security Specialists such as Dustin Heywood (aka Evil_Mog with Team Hashcat) and Cris Thomas (aka Space Rogue), IBM X-Force Red marked its first-year anniversary. These two Specialists add to the team’s impressive roster of talent worldwide. In order to further improve their engagements, IBM X-Force Red has created “Cracken”, a password cracker specifically developed to help clients improve password hygiene.
Over the past year, we’ve seen security testing further emerge as a key component in clients’ security programs. Finding issues in your products and services upfront is a far better investment than the expense of letting cyber-criminals finds and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offense our clients’ best defense.
Charles Henderson, Global Head of IBM X-Force Red
Connected Car Security is a Global Priority
The production of new automobiles furnished with data connectivity, either by a tether to a mobile device or via a built-in communications module, is estimated to reach 61 million in 2020.2 This is one of the estimations of Gartner. Keeping in mind the present and future challenges, IBM X-Force Red built an automotive practice committed to helping clients secure human interactions, applications, networks and hardware.
In order to build expertise and programmatic penetration testing and consulting services, IBM X-Force Red worked with more than a dozen automotive Manufacturers and third-party automotive Suppliers. The aim of the formation of the automotive practice is to standardize security protocols and to help shape and share industry best practices.
Some of the research findings disclosed by IBM X-Force Red early this year have also been applied by the new automotive practice. These findings notified the automotive industry and consumers of security pitfalls that are in-built in connected cars. The research focused on the insecure transfer of ownership amongst owners of some connected cars, which may produce an opportunity for a mean takeover of the functions of the vehicle, such as horn and light control, remote start, unlocking and locking of doors and the ability to geo-locate the current owner through a mobile app. IBM X-Force Red and Henderson also exposed that these security loopholes were also detected across four major auto Manufacturers, when the research findings were disclosed at RSA 2017.
The interconnected systems and components in a modern vehicle can range in the hundreds or thousands, each with their own vulnerabilities and security controls. The total amount of possible vulnerabilities for the vehicle climbs above the sum vulnerabilities of its parts, when these components are combined and connected to mobile applications and external servers. With this in mind, IBM X-Force Red carries out distinct security testing of the components as well as solution-based security testing for the complete system of the vehicle.
Watson IoT Platform and IBM X-Force Red
According to Gartner, 8.4 billion connected things will be in use globally in 2017. This is 31% higher than 2016 and will reach 20.4 billion by 2020.3 While the insights gained from IoT data help drive revenue streams and forge lasting customer relationships, demand and shortened production cycles often lead to rushed or non-existent security testing for these new products and services.
Perceived gaps in security of emerging technologies such as IoT and connected cars have made IBM X-Force Red to change the delivery of security testing. On-demand and programmatic security testing through the complete lifecycle of the products is emerging as the best approach to discover vulnerabilities in a proactive fashion. Watson IoT Platform customers will presently be able to control the security expertise of IBM X-Force Red to help throughout development and deployment.
It’s not just about the technology, it is also about the global reach, investment, and collaborative approach which make IBM a trusted IoT partner for enterprise IoT solutions. With IoT technologies permeating the farthest corners of industry, IBM is bringing our Watson IoT Platform and X-Force Red security talent together to address present and future concerns.
James Murphy, Offering Manager, IBM Watson IoT Platform
With intrinsic security controls, the Watson IoT Platform approach is security by design, delivered as a cloud-based service with industry-recognized ISO27001 compliance. Sophisticated security IoT service capabilities that extend Watson IoT Platform with Threat Intelligence for IoT are also featured in the Watson IoT Platform. These features help customers create policy-driven automations to help prioritize operational responses for IoT incidents and also visualize critical risks in the IoT landscape.
The experience and skills of the X-Force Red team alongside the Watson IoT Platform offer important components to enable clients get off to the correct start from design all the way through to the launch of their IoT solution.
Investing in Infrastructure
The Red Portal, a cloud-based collaboration platform for clients and security professionals was launched by IBM X-Force in February 2017. An end-to-end view of security testing programs is presented by this platform. Real-time testing project milestones, reports of findings, vulnerabilities across all assets, and the overall status of their managed testing program can be viewed by the clients. All communications with X-Force Red are centralized and streamlined by the Red Portal and it offers a way to start remediation instantly on the most important items.
X-Force Red will reveal the latest weapon in their arsenal at this year’s Black Hat conference. It uses Cracken, a dedicated password-cracking cluster, during security assessments and penetration tests. X-Force Red will allow attendees test passwords against Cracken at Booth #616 during Black Hat USA 2017 in order to demonstrate the importance of password complexity and length.
IBM X-Force Red at Black Hat 2017 and DEF CON 2017
At Black Hat USA 2017, Charles Henderson, Global Head of IBM X-Force Red, will present his theory of real-life penetration testing, “Better Than Mr. Robot”. The session will take place in Business Hall Theater B, Mandalay Bay on Thursday, July 27th from 11:00-11:50 a.m. PT.
At DEF CON 25, Chris Thompson, Red Team Ops Lead, IBM X-Force Red, will present his demonstration of advanced Red Team tactics, “MS Just Gave the Blue Team Tactical Nukes (and How Red Teams Need to Adapt)”. The demo will take place in the 101 Track on Saturday, July 30th from 3:00-3:45 p.m. PT.
At Booth #616, Level 1 Business Hall, Mandalay Bay on July 26th & 27th X-Force Red and other IBM Security experts will demonstrate their latest offerings.
1 2017 Study on Mobile and IoT Application Security, Ponemon Institute, Arxan, & IBM Security
2 Gartner, Gartner Says Connected Car Production to Grow Rapidly Over Next Five Years, September 2016
3 Gartner, Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, 2016, December 2016,