When Liza Minnelli sang that famous tune, “Money makes the world go around,” she should have added one more word: time. Time makes the world go around. It’s that one agreed-upon part of life that the world shares. From laptops to phones to wall clocks to just about every other technology, time is everywhere, controlling our important life responsibilities. In cybersecurity, time is also critical. Event log files rely on time. Forensic investigations rely on time. Networks rely on time. In fact, Network Time Protocol (NTP) is one of the oldest internet protocols still in use.

So, imagine the impact if an attacker were to manipulate time. That’s the question our X-Force Red Global Hardware Hacking Lead Adam Laurie is diving into for his upcoming Black Hat Europe keynote presentation. I spoke to him ahead of his talk to get a better sense of what it will cover.

Abby: Thank you, Adam, for taking the time (wink, wink) to chat with me. This topic is unique. Why did you choose to explore it further?

Adam: Abby, everything relies on accurate timing. Transactions rely on time. Blockchain relies on time. Communication protocols and systems can’t operate without synchronized clocks because they use time windows for transmissions. If clocks are skewed, the transmissions will bump into each other and the whole thing breaks down. Time is at the center of our most important activities, which is why I thought it would be interesting to see how an attacker could manipulate time, and the type of impact it would have from a cybersecurity perspective.

Abby: Which cybersecurity processes do you think would be most impacted by an attacker skewing time?

Adam: Initially, I had thought that forensic investigations might be some of the biggest ones. When you investigate an incident, you look through the event logs within a certain time window to put the pieces together on when unusual activity occurred. For example, if an incident happened on a Thursday night, you might look through the events that took place the week prior to see if you could spot unusual activity. Now let’s say an attacker skewed the clocks so all the activity got incorrectly logged as occurring many days or weeks before it. You would never see the events that were logged before the incident really occurred, and, in some cases, may not even realize you were looking at entirely the wrong window of time. However, the more I looked at this the more I realized that real-time issues are far greater and more challenging to resolve.

Abby: What are some ways that criminals could ‘attack’ real time?

Adam: Accurate time derived from atomic clocks gets distributed in various ways, the main ones being network (NTP), satellite (GPS), RF (MSF/DCF/WWV, etc.) and GSM. If one looks skewed, I can still rely on two or more of the others, looking for consensus that indicates they are still in sync and accurate. But what if a criminal could attack a majority? They could sit outside your building and manipulate the satellite clock by spoofing or jamming the very weak radio signals, which would then mess up your GPS clocks. You can do the same for RF clocks. What is the response to that? Is there any defense against that?

The problem is that there is currently no way to identify a ‘real’ time signal from a spoofed one. In the U.K., we have a system called MSF which is an RF signal transmitted by the National Physical Laboratory that can be received anywhere in the U.K. Other countries have their own variants. The transmitter is connected to an atomic clock, but it’s just beeps and boops. Nothing validates the signal. There is no handshake. It’s a one-way broadcast transmission. If I sit outside your facility and override that signal, I can make your RF clock show any time I like and if that clock feeds into your local network time via your own ‘secure’ NTP server then I’ve potentially altered your vision of ‘correct’ time.

Abby: What can happen if we don’t secure time?

Adam: In the worst-case scenario, a bad actor could executive a massive denial-of-service (DOS) attack against our banking, telecommunications and other vital systems.

Abby: I would imagine securing time isn’t a new concept? Why haven’t we seen more presentations and discussions about it?

Adam: There have been previous attempts to work around this problem by adding encryption and/or authentication to NTP itself, but there were issues with scalability and implementation. Surprisingly, securing NTP properly, from an RFC (Request for Comments) standpoint is a relatively new occurrence. RFC is the system by which the Internet agrees on standards. If you needed to know how a protocol works, for example, you would view the RFC, and work forward from there. It shows how the protocol and parameters were agreed upon. The first RFC for NTP was back in the early eighties, but the secure time (NTS) RFC was only published in 2020, so it is pretty new.

Abby: Thank you, Adam. If you want to learn more about the potential threats against time and how it can be better secured, watch Adam’s keynote at Black Hat Europe! Details can be found here.

Learn more about X-Force Red and our offensive security services here.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…