Setting your network's clocks from the Internet:
How safe is that?
Posted July 12, 2018 by Marc Abel
You're probably near at least one device which shows the time in a small area of its screen. The smallness of this display can mislead us to think that its correctness is a small detail. And sometimes that's true; the elder President Bush once said in a commencement address that he hadn't figured out how to get his VCR to stop flashing 12:00. But the time you see in the corner connects with a lot more than giving you a convenient place to check if dinner should be ready.
Attackers have been mis-setting computer clocks to facilitate break-ins for decades. During the Reagan presidency, someone I knew used a hardcoded password to break into a DEC VAX at a Big Ten research university. He was thrilled with his new administrative privileges, but was having a problem because the compromised password was due to expire in three days. Unable to extend his access, he worked around the issue by setting the system clock back exactly one year, hoping the change would go unnoticed for a time. He succeeded.
Today's systems are so trusting of their time accuracy, that irregularities can cause wide-reaching problems. Access to systems can be granted or revoked, claims paid or denied, air schedules changed, ships mispositioned, intrusion logs confused, backups corrupted, and records falsified on the basis of what a clock might be set to. Most applications don't even bother checking with the host operating system whether the clock has been synchronized at all, even though that information is readily available. An attacker can even forge someone's identity by setting a clock back to 2014, a time when thousands of defective SSL certificates were honored as a result of the Debian Heartbleed vulnerability.
If an attacker could mis-adjust the clocks by 0.0083 seconds at half of the electric generating plants in the United States, she can short out most of the grid.
Let's not worry about the electrical grid at the moment, because it's my belief that the utilities are more than typically careful with their time regulation. I've been in more than one utility's control center, and my presence wasn't for a tour. But what about our organizations, yours and mine? Here is what one usually finds:
- clocks not present
- clocks never set
- clocks not set since installation
- sometimes somebody sets some clocks
- clocks synchronized to a single Internet time server
- time derived from a few Internet time servers
- time derived from Global Positioning Satellites (GPS)
- on-site rubidium or cesium frequency standards
For some scenarios, the best clock security can be one of the first three choices, particularly if a strict leave all clocks alone policy is implemented to ensure time only moves forward. This doesn't easily facilitate recordkeeping, auditing, authentication, or coordination, but it works well for many toasters and dishwashers.
The fourth option is common for simple non-networked equipment, locations without ongoing Internet access, and configurations that unintentionally do not synchronize clocks. Far less common is for someone to choose this option for security reasons, although this is how I do things in-house for Wakefield. I'll say more about where this works well further on.
Most operating system vendors nudge you into using a specific Internet time source, and although there are a great number of operators to choose from, most operating systems provide their own online time sources to the world at no charge. By doing so, these vendors provide yet one more way to cause your machine to call home to them, giving them a little nugget of tracking and telemetry information under the guise of added value.
There are even third parties who hope you'll use their advertised time service instead, sometimes even incorporating purposeful deviations from internationally agreed standards of time, and recommending that you use their service exclusively. This does offer some technical advantages, but realize there are commercial motivations behind such freebies. (And don't do this if you supply power to the electric grid!)
Things get sophisticated at option 6, which uses Network Time Protocol (NTP) to meticulously compare a number of documented time sources. NTP has many checks, balances, computations, validations, and security features intended to produce a rock-steady, highly available time reference of known closeness to Universal Coordinate Time. Its security-hardened successor, NTPSec, is currently in beta testing.
On many operating systems, you can install and start NTP with a single command, and time servers will be selected at random from a pool of volunteers and periodically rotated. The question here becomes whether or not you know what is running. NTP has a complex array of options and features for a system that will typically run for years without adjustment. So a typical administrator is not going to be knowledgeable of most of these options, recent bugs, or new issues of the software. And the news gets worse from there; the reference implementation of NTP has 385,000 lines of code as of version 4.2.8, so there are mountain ranges of complexity for vulnerabilities to hide and security audits to get very expensive. NIST's National Vulnerability Database catalogs hundreds of NTP-related vulnerabilities. Notwithstanding these difficulties, NTP has been the primary method for online time handling for decades and will likely remain so.
An increasingly popular choice for accurate time is the GPS satellite constellation used for navigation. Organizations can choose between commodity receivers costing less than $50 up to commercial rack-mounted solutions with roof-mounted antennas, with the calculated time at the client's location within as few as two nanoseconds of the U.S. Naval Observatory's time. But the non-military portion of the GPS signal carries no authentication, so it's not conceptually difficult for an attacker to beam an incorrect time into your antenna. Here too your vendor has probably built in some safeguards, but you should be aware there is an attack surface.
In wartime the GPS constellation can be taken out by an adversary, and I can't rule out the possibility that a simple government shutdown would not impact service. Although critical infrastructure is supposed to be maintained during U.S. shutdowns, there have been some observations to the contrary within cybersecurity circles.
Item 8 is the ultimate set-and-forget alternative, where your organization purchases one or more atomic clocks. I don't mean the "atomic clocks" you have on your wall at home; those are ordinary clocks that set themselves from radio signals that emanate from real atomic clocks. What's meant here is the purchase of devices containing rubidium or cesium frequency standards. You set the time when you install it, and 1,000 years later it's off by less than two seconds (or even closer if you need better).
One reason real atomic clocks are widely used is because of their low cost. They can cost thousands more than a Big Mac, but you don't have to pay an administrator to unravel the uncertainties of Network Time Protocol, you don't need an outdoor antenna exposed to snowfall or hurricanes, and microwave cavities don't require security patches. And if your budget it really tight but you're electronically gifted, eBay can hook you up with a used rubidium oscillator for well under $200. All you have to do is build your own clock, as 14-year-old Ahmed Mohamed famously did while Barack Obama was in office.
I love measuring instruments and would have fun with a rubidium standard at Wakefield, but it turns out that option 4 is accurate enough and hopefully secure enough for use within this company. What you might not know is that although your computer clock does drift, many operating systems can automatically compensate for the drift once you measure it. The temperature at Wakefield's datacenter is maintained within a narrow range, so the CMOS clock of an ordinary Dell tower can operate with less than a tenth of a second of drift per day. I set the clock on this single machine, and let another half dozen systems set their own clocks from that.
Over time, I will be able to update this post to say how well Wakefield's clocks do as seasons change. In the meantime, there is a route for an outsider to infer how well these clocks are tracking. You are welcome to snoop on my clocks if you can figure out how.
Option 4 is not an all-or-nothing proposition: there exist very cheap oven-controlled crystal oscillators (OCXOs) that are far more accurate than commodity Dell PCs, without having to invest in rubidium frequency standards. Less than $50 will buy you a standard that's stable to better than one second per year, but you'll have to build a clock around it.
Options 5, 6, and 7 aren't all-or-nothing propositions either; a system that gets the current time from the Internet or satellite and then asks a human for permission to make a specific, one-time adjustment to your clock is an approach that can keep highly accurate time without opening your systems to potential adversaries.