Modern field guide to security and privacy

Researchers reveal how attackers could turn back Internet time

Boston University researchers discovered vulnerabilities in the ubiquitous computing protocol that keeps time synched across networks, opening up critical operations such as air traffic control to attacks.

Brian Snyder/Reuters

Boston University researchers discovered multiple vulnerabilities in Network Time Protocol (NTP), one of the oldest and most important standards on the Internet.

Introduced 30 years ago, NTP ensures times are synchronized across networks – a key component of business transactions, encryption, and even logging in or out of websites. Attacks over the protocol could throw off industrial computers that need to coordinate systems including air traffic control, prevent financial transactions from being properly recorded, or sidestep commonly used forms of Internet security.

"We were surprised no one noticed these before," said Sharon Goldberg, an associate professor at Boston University who, alongside graduate student Aanchal Malhotra and undergraduate Isaac Cohen, discovered the three NTP vulnerabilities. The paper, released Wednesday, is available here.

NTP is so ubiquitous that most people who use computers rely on it without realizing it. It's important because Web browsers such as Safari or Chrome rely on a system of certificates to verify that a website claiming to be, for instance, is actually If those certificates are compromised, they can be revoked – but only until the certificate expires. Turning back the clock on users' computer is effectively a way to convince computers that an expired – and possibly compromised – certificate is still valid.

The most problematic NTP vulnerability affects a safety feature known as "the kiss-o’-death packet" (KOD), introduced nearly a decade ago. The KOD is a server’s self-defense mechanism against computers that request the time more often than a predetermined rate, either as a malicious attempt to clog traffic or during a malfunction. The packet tells a computer to stop requesting the time for a certain waiting period, which is designed to be set between two seconds and around 36 hours – although the Boston University team found that waiting period could be set much higher without the computer checking. 

But the NTP system does not do a good job verifying what system sent the KOD packet. And, since the attack only requires a small amount of data to be sent, an attacker could relatively quickly scan and disable entire networks of computers’ access to any or all NTP servers.

"When you look at the conversations from when the kiss-o’-death was being developed," Goldberg said, "developers were mostly worried about whether or not anyone would bother to listen to the kiss-o’-death packet – people weren’t sure if someone intentionally abusing an NTP server would stop if a server asked it to. They were not worried about security."

The Boston University team worked with a number of groups to develop patches for the KOD error, including the Network Time Foundation (which hosts the main template for NTP), and companies like Cisco, NTPsec, and RedHat, which use NTP in their products. Those patches are now available through the software manufacturers using NTP.

The KOD attack is especially dangerous, because it does not require much technical skill or equipment to pull off, says Goldberg. But the Boston University team also identified two other attacks which sophisticated attackers could use to change the time on victims’ computers. 

Computers can usually weed out NTP times that are clearly fake because they have internal clocks that are not perfectly accurate, but don’t go too far awry. NTP is designed with a safety valve to prevent a clock from being reset more than 15 minutes beyond what time it thinks it is. But when computers boot up, most operating systems turn off that safety valve. That makes some sense – computers are often off for extended periods of time, and are often more than 15 minutes out of whack. In that instance, the Boston University team found that they could reset the time however they pleased.

This is not the first time vulnerabilities have been reported in NTP – a problem found a year ago lead to the first automatic update in Apple’s history – but for a 30-year-old protocol it is generally considered secure. 

"To say it’s never going to have an issue is wrong," said Eric Dube, a principal product manager at Red Hat who works with NTP. "But all protocols are vulnerable to some degree. This one is pretty robust. And the NTP community is extremely good about taking problems seriously and getting them patched."

Correction: The original version of this article used the incorrect name for the Network Time Foundation. It has been changed. 


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Researchers reveal how attackers could turn back Internet time
Read this article in
QR Code to Subscription page
Start your subscription today