Time synchronization is a fragile ecosystem that is vulnerable to hacking, with the potential to cause enormous damage. This was the message of Adam Laurie, a global associate partner and leading hardware hacker, IBM X-Force Red, during the keynote address on the second day of Black hat Europe 2021.
Laurie pointed out that time has been a source of fascination for centuries, which is the basis of the scientific theories of Isaac Newton and Albert Einstein. Nowadays, accurate, centralized time is crucial for the functioning of a number of important industries. This includes navigation, forensics (who did what when), cryptocurrency and blockchain (proof of work) and transportation of trains, planes and cars. “You can go on and on, almost everything depends on it,” Laurie said.
To further emphasize this, he highlighted a 2017 report from the United Kingdom estimating the cost of the time synchronization system, which failed to be £ 1 billion a day. Laurie noted that this would even reduce the financial cost of COVID-19. That is why this issue has attracted the attention of the government and large industry.
Worryingly, there is currently a huge reliance on GPS for time synchronization, which was never intended to be the de facto standard for everything. This is due to its cheapness and easy availability. However, if there is damage to the satellite, it will create an “existential threat to the entire ecosystem, because everyone is returning to the same point,” Laurie said.
He cites something else report from 2020, which recommends diversifying the sources of time to prevent a single source of failure. However, Laurie pointed out that many of the proposed alternative models, such as telecommunications networks, “are simply synchronized back to GPS.”
Numerous failures in real-world synchronization have highlighted the fragility of using GPS. An example highlighted by Laurie happened in New York in 2019, when critical systems were not updated when the clocks were moved to April 6th. This caused damage to the city’s traffic light system, which lasted nearly two weeks, which caused chaos.
The real-world scenario of how easy GPS can be manipulated happened when a delivery driver in Ontario, Canada, bought a cheap jamming device to hide his location from his bosses. Because it was close to an airport, “its jamming device not only hid their ability to track it, it actually stopped flights.” Given the scale of the accidental damage caused by a cheap GPS muffler, Laurie asked, “Can you go beyond that and actually cheat the GPS and create a different time signal?”
The answer is yes. For example, Lori discovers an online SDR simulation package that can be used to “replace the parameters of the time transmitted on the plane and set the time you want. It will then create a script that will tweak satellites that appear visible to your local receiver, and the receiver will see the time you set, not the actual time.
During the presentation, Laurie also provided a hacking demonstration of another source of time – low-frequency radio broadcasts – to show how easily these methods can be manipulated. He had two watches; one is synchronized with the UK atomic clock via the Network Time Protocol (NTP) and the other is controlled by radio frequency, receiving an MSF signal, tuned every 10 minutes. “I was curious if I could cheat this signal,” and Laurie soon discovered that “people have written software” for this purpose. During the rest of the session, he canceled the broadcast signal using a software package and gave the wrong time.
In conclusion, Laurie noted that society takes too much time for granted, even though the government and large industries are waking up to the fragility of the current ecosystem. There is an urgent need for cheap, low-cost and easily accessible sources of synchronization, which must be secured as “attackers and their tools become more sophisticated.” Laurie added: “If you can cheat a signal and take a city’s GPS watch out of a powerful transmitter, that’s obviously a big deal.”