Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP...

48
Forging Wireless Timing Signals to Attack the NTP Server Time is on my side Time is on my side 1 Yuwei Zheng @HITB Haoqi Shan @HITB From: Qihoo360 Unicorn Team

Transcript of Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP...

Page 1: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

ForgingWirelessTimingSignalstoAttacktheNTPServer

Timeisonmyside

Timeisonmyside1

Yuwei Zheng @HITBHaoqi Shan @HITBFrom: Qihoo360 Unicorn Team

Page 2: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Maincontents

Timeisonmyside

• AbouttheNTPserver• TheNTPstratummode• Thereferenceclock• Forge radio clock signals• Forge GPS clock signals• AttackNTPserver

2

Page 3: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AboutNTPserver

Timeisonmyside

• Aserverforcomputertosynchronizetime.

3

Page 4: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AboutNTPserver

Timeisonmyside

• CriticalIndustriesthatuseNTPservers

4

Page 5: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

TheNTPstratummode

Timeisonmyside

• Stratum0Referenceclocks• Stratum1Primarytimeservers• Stratum2• Stratum3…• Stratum16

5

Page 6: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AbouttheNTPserver

Timeisonmyside

• NTPserversaredeployedwithopensourceNTPv4

6

Page 7: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thereferenceclock

Timeisonmyside

• ReferenceClockDriversintheopensourceNTPv4Type2Deprecated: wasTrak 8820GPSReceiverType3PSTI/Traconex 1020WWV/WWVHReceiver(WWV_PST)Type4Spectracom WWVB/GPSReceivers(WWVB_SPEC)Type5TrueTimeGPS/GOES/OMEGA Receivers(TRUETIME)Type6IRIGAudioDecoder(IRIG_AUDIO)Type7RadioCHUAudioDemodulator/Decoder(CHU)…Type39hopf GPS/DCF776039forPCI-Bus(HOPF_P)Type40JJYReceivers(JJY)Type41TrueTime 560IRIG-BDecoderType42ZyferGPStarplus ReceiverType43RIPENCCinterfaceforTrimblePalisadeType44NeoClock4X- DCF77/TDFseriallineType45Spectracom TSYNCPCIType46GPSDNGclientprotocol

7

Page 8: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thereferenceclock

Timeisonmyside

Whydoesthestratum-1NTPserveruseradioclockandGPS?• Atomicclock,accurate,butexpensive• GPS• radioclock

8

Page 9: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thereferenceclock

Timeisonmyside

• ReceivercardssupportedbyNTPV4

9

Page 10: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thereferenceclock

Timeisonmyside

• Stratum1NTPserverproductforindustrialusing

10

Page 11: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thereferenceclock

Timeisonmyside

• ItsupportsDCF77,MSF,WWVB,andGPS

11

Page 12: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Forgelongwavetimingsignals

Timeisonmyside

• DIYacircuittotransmitradioclocksignalssupportWWVB,JJY,DCF77,andMSF

12

Page 13: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

WWVBencodingandmodulation

Timeisonmyside

• Different pulse width representdifferentdatabit

13

1 2 3 4t(s)

p

reduced

full

0.8s

marker 1 0 1

0.5s 0.5s0.2s

Page 14: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

WWVBencodingandmodulation

Timeisonmyside

• 60Khzcarrier

14

Page 15: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

WWVBencodingandmodulation

Timeisonmyside

• ASKmodulation

15

Page 16: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

WWVBencodingandmodulation

Timeisonmyside

• Theframestructure

16

Page 17: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

JJYencodingandmodulation

Timeisonmyside

Similar to the WWVB

17

1 2 3 4t(s)

p

reduced

full

0.8s

marker1 0 1

0.5s 0.5s0.2s

Page 18: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

DCF77encodingandmodulation

Timeisonmyside

• SimilartoWWVB,itusesa 77.5hzcarrier

18

Page 19: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• Usead9850DDSmoduletogeneratethecarrier

19

Page 20: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• AboutAD9850DDSmodulesupportstooutput0-40Mhzwavesendsallradioclocksignalswithonecircuit

• Usearduino tocontrolad9850Ad9850seriallibraryforarduinohttps://github.com/F4GOJ/AD9850

20

Page 21: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• AsimpleJJYtransmittervoidsendMark(){//Sendhighfor0.2secDDS.setfreq(freq,phase);delay(200);//Sendlowfor0.8secDDS.down();delay(800);return;

}

21

Page 22: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• AsimpleJJYtransmittervoidsendBit1(){//Sendhighfor0.5secDDS.setfreq(freq,phase);delay(500);//Sendlowfor0.5secDDS.down();delay(500);return;

}

22

Page 23: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• AsimpleJJYtransmittervoidsendBitZero(){//Sendhighfor0.8secDDS.setfreq(freq,phase);delay(800);//Sendlowfor0.2secDDS.down();delay(200);return;

}

23

Page 24: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside

• GettheantennafromanJJYreceiver

L=1890uH.𝑓 = $

%& '(,for60khzcarrierC=3.6nF

Forthe77.5khzcarrier,C=2.2nF

24

Page 25: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside25

• Thewholecircuitoftheuniformtransmitter

Page 26: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Longwavetimingsignaltransmitter

Timeisonmyside26

• LongdistancetransmitterDesignapoweramplifierwithMOSFETIR540.

Page 27: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AttackGPSNTPreceiver

Timeisonmyside

• GPSreceiver• GPStechbriefing• GenerateGPSsignal• Haveatry• Upgradeattackalgorithm

27

Page 28: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

GPSreceiver

Timeisonmyside

• MultiplyConnection• PCI• USB• Serialport

28

Page 29: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

GPStechbriefing

Timeisonmyside

• Complicatedprinciple• Butdoesn’tmatter,it’sopen-sourced• Defcon23“GPSSpoofing- LinHuang”

29

Page 30: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

GPStechbriefing

Timeisonmyside30

Subframe 1 Subframe 2 Subframe 3 Subframe 4 Subframe 5

Time information Ephemeris

Page 31: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

GenerateGPSsignal

Timeisonmyside31

Page 32: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Haveatry

Timeisonmyside32

Page 33: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Panic

Timeisonmyside33

Page 34: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Update attack algorithm

Timeisonmyside34

• Find GPSTime• Replace it• Re-ParityCheck

Page 35: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Setup an NTP server

HackingFemtocell

• Setup an NTP server using JJY as clocksource

35

server127.127.40.0mode1preferfudge 127.127.40.0flag1stratum0

Page 36: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Setup anNTPserver

Timeisonmyside

• ThisNTPserverwithJJYreferenceclock

36

Page 37: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Setup an NTP server(JJY)

HackingFemtocell37

Page 38: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AttacktheNTPserver

Timeisonmyside

• Canweinjectanytime?Thetimeoffsetmustbelessthan4hours.

• InjectatimethatisonehourslowthanrealtimeServercrashed!!!

38

Page 39: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AttacktheNTPserver

Timeisonmyside

• Canweinjectanytime?Ifthetimeoffsetismorethan1000s,theserverwillshutdown.

39

Page 40: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

AttacktheNTPserver

Timeisonmyside

• Canweinjectanytime?theoffset>1000s,requiremanuallyadjust

40

Page 41: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Root Dispersion

HackingFemtocell41

RFC5905

Page 42: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Attack Demo

Timeisonmyside42

Page 43: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Real Attack?

Time is on my side43

Page 44: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Real Attack?

Time is on my side44

Page 45: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Real Attack?

Time is on my side45

Page 46: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Real Attack?

Time is on my side

• Sensitive & expensive

46

Page 47: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

References

Timeisonmyside

•“GPS Spoofing – Huang Lin”• https://www.eecis.udel.edu/~mills/ntp/html/refclock.html• http://www.sundgren.se/1-recreation/2-electronics/dcf77_simulator.htm• https://github.com/F4GOJ/AD9850• https://github.com/sywcxx/gps-sim

47

Page 48: Time is on my side - HITB · Time is on my side • NTP servers are deployed with open source NTP v4 6. The reference clock Time is on my side • Reference Clock Drivers in the open

Thanks

HackingFemtocell

• Any question?• Feel free to contact us!

48


My Side of the Mountain

My Side of the Mountain

Time Is on My Side - Poets' Coop Is on My Side FREE.pdfTime Is on My Side Charles Rammelkamp 10 Time Is on My Side On the music video channel blasting from half a dozen giant monitors

Time Is on My Side - Poets' Coop Is on My Side FREE.pdfTime Is on My Side Charles Rammelkamp 10 Time Is on My Side On the music video channel blasting from half a dozen giant monitors

NTP CEMENTO

NTP CEMENTO

NTP Europa

NTP Europa

Configuring NTP · Configuring NTP ThischapterdescribeshowtoconfiguretheNetworkTimeProtocol(NTP)onCIscoMDS9000Family switches. • InformationAboutNTP,page1 • PrerequisitesforNTP,page3

Configuring NTP · Configuring NTP ThischapterdescribeshowtoconfiguretheNetworkTimeProtocol(NTP)onCIscoMDS9000Family switches. • InformationAboutNTP,page1 • PrerequisitesforNTP,page3

370.310 ntp

370.310 ntp

NTP 334.009

NTP 334.009

GPS NTP TIME SERVER - DAVANTEL · 2021. 3. 22. · Total number of NTP packets received from any host. Num of NTP packet Rejected Total number of NTP packet rejected. NTP request

GPS NTP TIME SERVER - DAVANTEL · 2021. 3. 22. · Total number of NTP packets received from any host. Num of NTP packet Rejected Total number of NTP packet rejected. NTP request

NTP Syllabus

NTP Syllabus

David Choi - By My Side

David Choi - By My Side

NTP Brochure

NTP Brochure

My Side of the Mountain THEMES

My Side of the Mountain THEMES

NORTH - Underground Utility Contractorsdnhiggins.com/docs/15-022 Addendum 2 Part II Civil Drawings.pdf · ntp 2 ntp 1 ntp 1 ntp 3 ntp 1 ntp 3 ntp 1 ntp 3 n.i.c. ntp 2 ntp 2 n.i.c.

NORTH - Underground Utility Contractorsdnhiggins.com/docs/15-022 Addendum 2 Part II Civil Drawings.pdf · ntp 2 ntp 1 ntp 1 ntp 3 ntp 1 ntp 3 ntp 1 ntp 3 n.i.c. ntp 2 ntp 2 n.i.c.

Final File From My Side

Final File From My Side

NTP Briefing.pptx

NTP Briefing.pptx

Expert NTP

Expert NTP

NTP 370.304

NTP 370.304

Angels by My Side

Angels by My Side

NTP Series GPON ONT Data Sheet Complete solutions for ...€¦ · NTP-2 NTP-2C NTP-RG-1402GC-W NTP-RG-1402G-W 1xGPON 2x1G 1xUSB2.0 2xUSB2.0 2xFXS 2xFXS 1xRF 1xRF 2x1G 4x1G 4x1G 1xGPON

NTP Series GPON ONT Data Sheet Complete solutions for ...€¦ · NTP-2 NTP-2C NTP-RG-1402GC-W NTP-RG-1402G-W 1xGPON 2x1G 1xUSB2.0 2xUSB2.0 2xFXS 2xFXS 1xRF 1xRF 2x1G 4x1G 4x1G 1xGPON

My Side, Your Side and Wikipedia

My Side, Your Side and Wikipedia