Researchers reveal how attackers could turn back Internet time
Boston University researchers discovered vulnerabilities in the ubiquitous computing protocol that keeps time synched across networks, opening up critical operations such as air traffic control to attacks.
Boston University researchers discovered multiple vulnerabilities in Network Time Protocol (NTP), one of the oldest and most important standards on the Internet.
Introduced 30 years ago, NTP ensures times are synchronized across networks – a key component of business transactions, encryption, and even logging in or out of websites. Attacks over the protocol could throw off industrial computers that need to coordinate systems including air traffic control, prevent financial transactions from being properly recorded, or sidestep commonly used forms of Internet security.
"We were surprised no one noticed these before," said Sharon Goldberg, an associate professor at Boston University who, alongside graduate student Aanchal Malhotra and undergraduate Isaac Cohen, discovered the three NTP vulnerabilities. The paper, released Wednesday, is available here.
NTP is so ubiquitous that most people who use computers rely on it without realizing it. It's important because Web browsers such as Safari or Chrome rely on a system of certificates to verify that a website claiming to be Amazon.com, for instance, is actually Amazon.com. If those certificates are compromised, they can be revoked – but only until the certificate expires. Turning back the clock on users' computer is effectively a way to convince computers that an expired – and possibly compromised – certificate is still valid.
The most problematic NTP vulnerability affects a safety feature known as "the kiss-o’-death packet" (KOD), introduced nearly a decade ago. The KOD is a server’s self-defense mechanism against computers that request the time more often than a predetermined rate, either as a malicious attempt to clog traffic or during a malfunction. The packet tells a computer to stop requesting the time for a certain waiting period, which is designed to be set between two seconds and around 36 hours – although the Boston University team found that waiting period could be set much higher without the computer checking.
But the NTP system does not do a good job verifying what system sent the KOD packet. And, since the attack only requires a small amount of data to be sent, an attacker could relatively quickly scan and disable entire networks of computers’ access to any or all NTP servers.
"When you look at the conversations from when the kiss-o’-death was being developed," Goldberg said, "developers were mostly worried about whether or not anyone would bother to listen to the kiss-o’-death packet – people weren’t sure if someone intentionally abusing an NTP server would stop if a server asked it to. They were not worried about security."
The Boston University team worked with a number of groups to develop patches for the KOD error, including the Network Time Foundation (which hosts the main template for NTP), and companies like Cisco, NTPsec, and RedHat, which use NTP in their products. Those patches are now available through the software manufacturers using NTP.
The KOD attack is especially dangerous, because it does not require much technical skill or equipment to pull off, says Goldberg. But the Boston University team also identified two other attacks which sophisticated attackers could use to change the time on victims’ computers.
Computers can usually weed out NTP times that are clearly fake because they have internal clocks that are not perfectly accurate, but don’t go too far awry. NTP is designed with a safety valve to prevent a clock from being reset more than 15 minutes beyond what time it thinks it is. But when computers boot up, most operating systems turn off that safety valve. That makes some sense – computers are often off for extended periods of time, and are often more than 15 minutes out of whack. In that instance, the Boston University team found that they could reset the time however they pleased.
This is not the first time vulnerabilities have been reported in NTP – a problem found a year ago lead to the first automatic update in Apple’s history – but for a 30-year-old protocol it is generally considered secure.
"To say it’s never going to have an issue is wrong," said Eric Dube, a principal product manager at Red Hat who works with NTP. "But all protocols are vulnerable to some degree. This one is pretty robust. And the NTP community is extremely good about taking problems seriously and getting them patched."
Correction: The original version of this article used the incorrect name for the Network Time Foundation. It has been changed.