When Liza Minnelli sang that famous tune, “Money makes the world go around,” she should have added one more word: time. Time makes the world go around. It’s that one agreed-upon part of life that the world shares. From laptops to phones to wall clocks to just about every other technology, time is everywhere, controlling our important life responsibilities. In cybersecurity, time is also critical. Event log files rely on time. Forensic investigations rely on time. Networks rely on time. In fact, Network Time Protocol (NTP) is one of the oldest internet protocols still in use.
So, imagine the impact if an attacker were to manipulate time. That’s the question our X-Force Red Global Hardware Hacking Lead Adam Laurie is diving into for his upcoming Black Hat Europe keynote presentation. I spoke to him ahead of his talk to get a better sense of what it will cover.
Abby: Thank you, Adam, for taking the time (wink, wink) to chat with me. This topic is unique. Why did you choose to explore it further?
Adam: Abby, everything relies on accurate timing. Transactions rely on time. Blockchain relies on time. Communication protocols and systems can’t operate without synchronized clocks because they use time windows for transmissions. If clocks are skewed, the transmissions will bump into each other and the whole thing breaks down. Time is at the center of our most important activities, which is why I thought it would be interesting to see how an attacker could manipulate time, and the type of impact it would have from a cybersecurity perspective.
Abby: Which cybersecurity processes do you think would be most impacted by an attacker skewing time?
Adam: Initially, I had thought that forensic investigations might be some of the biggest ones. When you investigate an incident, you look through the event logs within a certain time window to put the pieces together on when unusual activity occurred. For example, if an incident happened on a Thursday night, you might look through the events that took place the week prior to see if you could spot unusual activity. Now let’s say an attacker skewed the clocks so all the activity got incorrectly logged as occurring many days or weeks before it. You would never see the events that were logged before the incident really occurred, and, in some cases, may not even realize you were looking at entirely the wrong window of time. However, the more I looked at this the more I realized that real-time issues are far greater and more challenging to resolve.
Abby: What are some ways that criminals could ‘attack’ real time?
Adam: Accurate time derived from atomic clocks gets distributed in various ways, the main ones being network (NTP), satellite (GPS), RF (MSF/DCF/WWV, etc.) and GSM. If one looks skewed, I can still rely on two or more of the others, looking for consensus that indicates they are still in sync and accurate. But what if a criminal could attack a majority? They could sit outside your building and manipulate the satellite clock by spoofing or jamming the very weak radio signals, which would then mess up your GPS clocks. You can do the same for RF clocks. What is the response to that? Is there any defense against that?
The problem is that there is currently no way to identify a ‘real’ time signal from a spoofed one. In the U.K., we have a system called MSF which is an RF signal transmitted by the National Physical Laboratory that can be received anywhere in the U.K. Other countries have their own variants. The transmitter is connected to an atomic clock, but it’s just beeps and boops. Nothing validates the signal. There is no handshake. It’s a one-way broadcast transmission. If I sit outside your facility and override that signal, I can make your RF clock show any time I like and if that clock feeds into your local network time via your own ‘secure’ NTP server then I’ve potentially altered your vision of ‘correct’ time.
Abby: What can happen if we don’t secure time?
Adam: In the worst-case scenario, a bad actor could executive a massive denial-of-service (DOS) attack against our banking, telecommunications and other vital systems.
Abby: I would imagine securing time isn’t a new concept? Why haven’t we seen more presentations and discussions about it?
Adam: There have been previous attempts to work around this problem by adding encryption and/or authentication to NTP itself, but there were issues with scalability and implementation. Surprisingly, securing NTP properly, from an RFC (Request for Comments) standpoint is a relatively new occurrence. RFC is the system by which the Internet agrees on standards. If you needed to know how a protocol works, for example, you would view the RFC, and work forward from there. It shows how the protocol and parameters were agreed upon. The first RFC for NTP was back in the early eighties, but the secure time (NTS) RFC was only published in 2020, so it is pretty new.
Abby: Thank you, Adam. If you want to learn more about the potential threats against time and how it can be better secured, watch Adam’s keynote at Black Hat Europe! Details can be found here.
Learn more about X-Force Red and our offensive security services here.
Associate Partner, X-Force Red