When Liza Minnelli sang that famous tune, “Money makes the world go around,” she should have added one more word: time. Time makes the world go around. It’s that one agreed-upon part of life that the world shares. From laptops to phones to wall clocks to just about every other technology, time is everywhere, controlling our important life responsibilities. In cybersecurity, time is also critical. Event log files rely on time. Forensic investigations rely on time. Networks rely on time. In fact, Network Time Protocol (NTP) is one of the oldest internet protocols still in use.

So, imagine the impact if an attacker were to manipulate time. That’s the question our X-Force Red Global Hardware Hacking Lead Adam Laurie is diving into for his upcoming Black Hat Europe keynote presentation. I spoke to him ahead of his talk to get a better sense of what it will cover.

Abby: Thank you, Adam, for taking the time (wink, wink) to chat with me. This topic is unique. Why did you choose to explore it further?

Adam: Abby, everything relies on accurate timing. Transactions rely on time. Blockchain relies on time. Communication protocols and systems can’t operate without synchronized clocks because they use time windows for transmissions. If clocks are skewed, the transmissions will bump into each other and the whole thing breaks down. Time is at the center of our most important activities, which is why I thought it would be interesting to see how an attacker could manipulate time, and the type of impact it would have from a cybersecurity perspective.

Abby: Which cybersecurity processes do you think would be most impacted by an attacker skewing time?

Adam: Initially, I had thought that forensic investigations might be some of the biggest ones. When you investigate an incident, you look through the event logs within a certain time window to put the pieces together on when unusual activity occurred. For example, if an incident happened on a Thursday night, you might look through the events that took place the week prior to see if you could spot unusual activity. Now let’s say an attacker skewed the clocks so all the activity got incorrectly logged as occurring many days or weeks before it. You would never see the events that were logged before the incident really occurred, and, in some cases, may not even realize you were looking at entirely the wrong window of time. However, the more I looked at this the more I realized that real-time issues are far greater and more challenging to resolve.

Abby: What are some ways that criminals could ‘attack’ real time?

Adam: Accurate time derived from atomic clocks gets distributed in various ways, the main ones being network (NTP), satellite (GPS), RF (MSF/DCF/WWV, etc.) and GSM. If one looks skewed, I can still rely on two or more of the others, looking for consensus that indicates they are still in sync and accurate. But what if a criminal could attack a majority? They could sit outside your building and manipulate the satellite clock by spoofing or jamming the very weak radio signals, which would then mess up your GPS clocks. You can do the same for RF clocks. What is the response to that? Is there any defense against that?

The problem is that there is currently no way to identify a ‘real’ time signal from a spoofed one. In the U.K., we have a system called MSF which is an RF signal transmitted by the National Physical Laboratory that can be received anywhere in the U.K. Other countries have their own variants. The transmitter is connected to an atomic clock, but it’s just beeps and boops. Nothing validates the signal. There is no handshake. It’s a one-way broadcast transmission. If I sit outside your facility and override that signal, I can make your RF clock show any time I like and if that clock feeds into your local network time via your own ‘secure’ NTP server then I’ve potentially altered your vision of ‘correct’ time.

Abby: What can happen if we don’t secure time?

Adam: In the worst-case scenario, a bad actor could executive a massive denial-of-service (DOS) attack against our banking, telecommunications and other vital systems.

Abby: I would imagine securing time isn’t a new concept? Why haven’t we seen more presentations and discussions about it?

Adam: There have been previous attempts to work around this problem by adding encryption and/or authentication to NTP itself, but there were issues with scalability and implementation. Surprisingly, securing NTP properly, from an RFC (Request for Comments) standpoint is a relatively new occurrence. RFC is the system by which the Internet agrees on standards. If you needed to know how a protocol works, for example, you would view the RFC, and work forward from there. It shows how the protocol and parameters were agreed upon. The first RFC for NTP was back in the early eighties, but the secure time (NTS) RFC was only published in 2020, so it is pretty new.

Abby: Thank you, Adam. If you want to learn more about the potential threats against time and how it can be better secured, watch Adam’s keynote at Black Hat Europe! Details can be found here.

Learn more about X-Force Red and our offensive security services here.

More from Offensive Security

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

When the absence of noise becomes signal: Defensive considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Containers, Security, and Risks within Containerized Environments

4 min read - Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

How to Keep Your Secrets Safe: A Password Primer

5 min read - There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…