Computer scientists recently discovered a security problem with the software that synchronizes clocks on tens of millions of computers.
Don’t panic. They’ve fixed the vulnerability and described how they did it in a new paper.
Sharon Goldberg, an associate professor at Boston University, led the team that made the discovery. They say hackers could have used the vulnerability in the Network Time Protocol (NTP)—the software and rules that synchronize clocks on computers—to cripple the clock function of computers on the internet using a single attacking machine.
“It is very likely that your laptop uses NTP to synchronize its clock to a time server somewhere out on the internet.”
The team developed attacks that could alter the time on computer systems, compromising other applications, such as the encryption schemes that protect internet communications to bank websites. Other apps, from bitcoin systems to website authentication and login protocols, also could be breached.
“If NTP breaks, many other computing applications break as well,” says Goldberg.
Before posting the paper on her project’s website, Goldberg’s team worked with the Network Time Foundation, which implements the NTP, and with software firms like Cisco Systems and Red Hat, to plug the holes in the NTP code.
Goldberg says most computer users need not take corrective action, because their NTP software is routinely revised “via updates or patches to their operating systems.” She says operating systems “will be issuing patches that protect against our attacks, and other members of the Network Time Foundation are likely to do so as well.”
Experts needing to test their servers can consult the Goldberg team’s website for instructions.
“It is very likely that your laptop uses NTP to synchronize its clock to a time server somewhere out on the internet,” says Goldberg. “The encryption protocols that protect the information sent from your web browser to your bank’s website, for example, depend strongly on the accuracy of your computer clocks.”
The most serious potential attack found by Goldberg’s team involves the “kiss-o’-death packet,” a message that would prevent a computer system from communicating with its time server, possibly for years, essentially turning off NTP on the victim system.
“Timeshifting” attacks, in which a computer system’s time settings are altered, took longer to develop, she says, “because NTP is actually quite a complex protocol that has evolved over time.”
Goldberg says her team followed the standard “responsible disclosure” guidelines for researchers who uncover software vulnerabilities. That means alerting affected parties to the vulnerability and giving them a prescribed time to patch the problem, after which the researcher publicizes her work.
Goldberg sent Cisco an early draft of her team’s paper in August—she regularly briefs that firm on her research, she says, because it has funded her work and has hired several of her students—and the company was “instrumental in helping us coordinate the responsible disclosure of our research results.”
Source: Boston University