Time is on my side -...
49
Forging Wireless Timing Signals to Attack the NTP Server Time is on my side Time is on my side 1 Yuwei Zheng @HITB Haoqi Shan @HITB From: Qihoo360 Unicorn Team
Transcript of Time is on my side -...
ForgingWirelessTimingSignalstoAttacktheNTPServer
Timeisonmyside
Timeisonmyside1
Yuwei Zheng @HITBHaoqi Shan @HITBFrom: Qihoo360 Unicorn Team
Maincontents
Timeisonmyside
• AbouttheNTPserver• TheNTPstratummode• Thereferenceclock• Forge radio clock signals• Forge GPS clock signals• AttackNTPserver
2
AboutNTPserver
Timeisonmyside
• Aserverforcomputertosynchronizetime.
3
AboutNTPserver
Timeisonmyside
• CriticalIndustriesthatuseNTPservers
4
TheNTPstratummode
Timeisonmyside
• Stratum0Referenceclocks• Stratum1Primarytimeservers• Stratum2• Stratum3…• Stratum16
5
AbouttheNTPserver
Timeisonmyside
• NTPserversaredeployedwithopensourceNTPv4
6
Thereferenceclock
Timeisonmyside
• ReferenceClockDriversintheopensourceNTPv4Type2Deprecated: wasTrak 8820GPSReceiverType3PSTI/Traconex 1020WWV/WWVHReceiver(WWV_PST)Type4Spectracom WWVB/GPSReceivers(WWVB_SPEC)Type5TrueTimeGPS/GOES/OMEGA Receivers(TRUETIME)Type6IRIGAudioDecoder(IRIG_AUDIO)Type7RadioCHUAudioDemodulator/Decoder(CHU)…Type39hopf GPS/DCF776039forPCI-Bus(HOPF_P)Type40JJYReceivers(JJY)Type41TrueTime 560IRIG-BDecoderType42ZyferGPStarplus ReceiverType43RIPENCCinterfaceforTrimblePalisadeType44NeoClock4X- DCF77/TDFseriallineType45Spectracom TSYNCPCIType46GPSDNGclientprotocol
7
Thereferenceclock
Timeisonmyside
Whydoesthestratum-1NTPserveruseradioclockandGPS?• Atomicclock,accurate,butexpensive• GPS• radioclock
8
Thereferenceclock
Timeisonmyside
• ReceivercardssupportedbyNTPV4
9
Thereferenceclock
Timeisonmyside
• Stratum1NTPserverproductforindustrialusing
10
Thereferenceclock
Timeisonmyside
• ItsupportsDCF77,MSF,WWVB,andGPS
11
Forgelongwavetimingsignals
Timeisonmyside
• DIYacircuittotransmitradioclocksignalssupportWWVB,JJY,DCF77,andMSF
12
WWVBencodingandmodulation
Timeisonmyside
• Different pulse width representdifferentdatabit
13
1 2 3 4t(s)
p
reduced
full
0.8s
marker 1 0 1
0.5s 0.5s0.2s
…
WWVBencodingandmodulation
Timeisonmyside
• 60Khzcarrier
14
WWVBencodingandmodulation
Timeisonmyside
• ASKmodulation
15
WWVBencodingandmodulation
Timeisonmyside
• Theframestructure
16
JJYencodingandmodulation
Timeisonmyside
Similar to the WWVB
17
1 2 3 4t(s)
p
reduced
full
0.8s
marker1 0 1
0.5s 0.5s0.2s
…
DCF77encodingandmodulation
Timeisonmyside
• SimilartoWWVB,itusesa 77.5hzcarrier
18
Longwavetimingsignaltransmitter
Timeisonmyside
• Usead9850DDSmoduletogeneratethecarrier
19
Longwavetimingsignaltransmitter
Timeisonmyside
• AboutAD9850DDSmodulesupportstooutput0-40Mhzwavesendsallradioclocksignalswithonecircuit
• Usearduino tocontrolad9850Ad9850seriallibraryforarduinohttps://github.com/F4GOJ/AD9850
20
Longwavetimingsignaltransmitter
Timeisonmyside
• AsimpleJJYtransmittervoidsendMark(){//Sendhighfor0.2secDDS.setfreq(freq,phase);delay(200);//Sendlowfor0.8secDDS.down();delay(800);return;
}
21
Longwavetimingsignaltransmitter
Timeisonmyside
• AsimpleJJYtransmittervoidsendBit1(){//Sendhighfor0.5secDDS.setfreq(freq,phase);delay(500);//Sendlowfor0.5secDDS.down();delay(500);return;
}
22
Longwavetimingsignaltransmitter
Timeisonmyside
• AsimpleJJYtransmittervoidsendBitZero(){//Sendhighfor0.8secDDS.setfreq(freq,phase);delay(800);//Sendlowfor0.2secDDS.down();delay(200);return;
}
23
Longwavetimingsignaltransmitter
Timeisonmyside
• GettheantennafromanJJYreceiver
L=1890uH.𝑓 = $
%& '(,for60khzcarrierC=3.6nF
Forthe77.5khzcarrier,C=2.2nF
24
Longwavetimingsignaltransmitter
Timeisonmyside25
• Thewholecircuitoftheuniformtransmitter
Longwavetimingsignaltransmitter
Timeisonmyside26
• LongdistancetransmitterDesignapoweramplifierwithMOSFETIR540.
AttackGPSNTPreceiver
Timeisonmyside
• GPSreceiver• GPStechbriefing• GenerateGPSsignal• Haveatry• Upgradeattackalgorithm
27
GPSreceiver
Timeisonmyside
• MultiplyConnection• PCI• USB• Serialport
28
GPStechbriefing
Timeisonmyside
• Complicatedprinciple• Butdoesn’tmatter,it’sopen-sourced• Defcon23“GPSSpoofing- LinHuang”
29
GPStechbriefing
Timeisonmyside30
Subframe 1 Subframe 2 Subframe 3 Subframe 4 Subframe 5
Time information Ephemeris
GenerateGPSsignal
Timeisonmyside31
Haveatry
Timeisonmyside32
Panic
Timeisonmyside33
Update attack algorithm
Timeisonmyside34
• Find GPSTime• Replace it• Re-ParityCheck
Setup an NTP server
HackingFemtocell
• Setup an NTP server using JJY as clocksource
35
server127.127.40.0mode1preferfudge 127.127.40.0flag1stratum0
Setup anNTPserver
Timeisonmyside
• ThisNTPserverwithJJYreferenceclock
36
Setup an NTP server(JJY)
HackingFemtocell37
AttacktheNTPserver
Timeisonmyside
• Canweinjectanytime?Thetimeoffsetmustbelessthan4hours.
• InjectatimethatisonehourslowthanrealtimeServercrashed!!!
38
AttacktheNTPserver
Timeisonmyside
• Canweinjectanytime?Ifthetimeoffsetismorethan1000s,theserverwillshutdown.
39
AttacktheNTPserver
Timeisonmyside
• Canweinjectanytime?theoffset>1000s,requiremanuallyadjust
40
Root Dispersion
HackingFemtocell41
RFC5905
Attack Demo
Timeisonmyside42
Real Attack?
Time is on my side43
Real Attack?
Time is on my side44
Real Attack?
Time is on my side45
Real Attack?
Time is on my side46
Real Attack?
Time is on my side
• Sensitive & expensive
47
References
Timeisonmyside
•“GPS Spoofing – Huang Lin”• https://www.eecis.udel.edu/~mills/ntp/html/refclock.html• http://www.sundgren.se/1-recreation/2-electronics/dcf77_simulator.htm
48
Thanks
HackingFemtocell
• Any question?• Feel free to contact us!
49
