Last month two Chinese researchers gave a presentation titled “Time is on my Side” during the “Hack in The Box” 2016 SecConf event in Amsterdam, NL (https://conference.hitb.org/hitbsecconf2016ams/) . In this presentation, the researchers outlined a way to attack NTP servers by spoofing AM and GPS radio signals which are used as the time reference by most NTP server appliances on the market today.
Description of the Attack
The attack as described by Yuwei Zheng and Haoqi Shan of Qihoo360 “Unicorn Team” based on sending out a modified radio signal using SDR technology. Because all major time signals including JJY, WWVB, DCF77, MSF as well as GNSS signals like GPS, GLONASS and Beidou/COMPASS come without encryption and authentication, the only challenge for a potential attacker is the (re)ǵeneration of the radio signal itself. Although several NTP server vendors and their products (including Meinberg and their LANTIME product family) have been mentioned in the presentation, the researchers confirmed that they did not carry out attacks against these actual products, because they are too expensive to buy them just for carrying out tests. Unfortunately, Meinberg has not been contacted in order to provide details about the attack and there was no request for a loan device or a demo unit to help the researchers to find out whether the attacks would be successful when they are carried out against real world products instead of self designed so-called prototypes of NTP servers. We are currently trying to contact the authors of the presentation to find out if there is a way to cooperate and find out what the impact of this attack method is on Meinberg products.
Radio time signal facts
Every receiver that decodes a time signal from a reference transmitter is likely to be affected by this approach, as there is no real possibility to verify whether a signal actually is the real thing(tm) or a manipulated version of it. However, not every NTP server reads out the time from its receiver and directly changes its own internal clock with no integrity and sanity checks at all. As the researchers rightly pointed out, the reference implementation of NTP maintained by the Network Time Foundation has a protection mechanism called the panic threshold. Per default this parameter is set to 1000 seconds, meaning that a sudden time step of a reference larger than 1000 seconds will cause the NTP daemon process to stop itself. This prevents it from responding to NTP queries and sending the wrong time to clients.
The researchers however failed to mention that this value can be changed in every’s NTP configuration file by using the “tinker panic” configuration directive. This, by the way, also applies to the client configuration as long as the clients use the reference implementation of NTP which is part of almost all Linux/Unix OS distributions and which can be downloaded for free from our website for Windows machines. Lowering the limit to a smaller value will make it harder to skew the time of your NTP servers with radio clock receivers, but it will not completely protect you against this attack. The best protection against this specific attack is what we call source diversity, i.e. having multiple references and use NTP’s “majority vote” algorithm to filter out the outliers.
A lot of our customers use combinations of GPS, GLONASS, Beidou, DCF77, WWVB, JJY and feeds from public NTP servers of the national metrology labs like NPL in the UK, NIST in the US or PTB in Germany. Either they compare all these sources of time by monitoring them and raise an alarm if one of these sources jumps to a different time or they simply let NTP do its thing and put all the available references into their clients’ configuration file, allowing each of them to simply filter out the one manipulated NTP server without any impact on their time synchronization at all.
Actually, our LANTIME appliances are available with two integrated radio receivers, for example a GPS and a DCF77 receiver. These models with redundant receiver configurations can make use of the SHS (“Secure Hybrid System”) feature built into our V6 firmware. When this feature is enabled, the system will continuously compare the time of both signals with each other and, if they differ by a configurable time (e.g. 100 miliseconds), a warning is sent out and optionally the NTP service can be stopped to prevent the system from distributing wrong (manipulated) time.
Yes, you can still attack such a scenario by manipulating a majority of the sources at all locations where the NTP servers are installed, but carrying out a global attack by generating multiple different radio time signals in New York, Frankfurt, London and Singapore at the same time is increasing the cost of such an attack dramatically and it is far from the simplicity of the demonstrated attack. As with all potential security attack vectors it is a question of what kind of benefit will a potential attacker gain. If the financial price for an attack is well below this potential gain, it will be carried out. Therefore, in my opinion any protection measure increasing the cost of an attack is going to reduce the likelihood of that attack actually happening.
Meinberg products have been specifically mentioned by the security researchers as an example for NTP appliances on the markets that are affected by their demonstrated attack. However, they admitted in their presentation that they did not use our products in their tests. We believe this is not fair and we would have hoped that they would have contacted us, which they chose not to do. The fact that Meinberg is one of the very few NTP appliance vendors actually providing security updates and publishing security advisories should be an indication that our company is taking security seriously. We will therefore continue to improve the security and robustness of our NTP (and PTP) solutions, being the fastest to respond to new vulnerabilities and threats with security advisories and updates for our users.
If you have questions regarding the cyber security of your Meinberg product, need advise to set up your client configuration or have a comment, please contact your Meinberg Technical Support.
- Server Solutions “leave a comment”
- Server “leave a comment”
- dcf77 encryption