Research Team Finds Flaw in Computers’ Timekeeping

Tens of millions of computers were vulnerable to attack

Tens of millions of computers were vulnerable to sabotage of their clocks, BU researcher Sharon Goldberg has discovered. Photo by Cydney Scott

Sharon Goldberg frets about internet security so the rest of us don’t have to. In a paper released in October 2015, Goldberg and her team reported the kind of security problem worth worrying about, one that could be used by a bad guy to cripple the clock function of tens of millions of computers on the internet using a single attacking machine. 

Happily, says Goldberg, a Boston University College of Arts & Sciences (CAS) associate professor of computer science, fixes for the vulnerability were implemented before the paper was published.

Working with students Aanchal Malhotra (GRS’19), Isaac Cohen (CAS’16), and Erik Brakke (CAS’16) in spring 2015, Goldberg discovered a potential vulnerability in the Network Time Protocol (NTP), the software and rules that synchronize clocks on computers. The team developed attacks that could alter the time on computer systems, compromising other applications, such as the encryption schemes that protect internet communications to bank websites. Other apps, from bitcoin systems to website authentication and login protocols, also could be breached.

“If NTP breaks, many other computing applications break as well,” says Goldberg, who holds a fellowship from BU’s Rafik B. Hariri Institute for Computing and Computational Science & Engineering and is also a Sloan Fellow.

Before posting the paper on her project’s website, Goldberg’s team worked with the Network Time Foundation, which implements the NTP, and with software firms like Cisco Systems and Red Hat, to plug the holes in the NTP code. Goldberg says most computer users need not take corrective action, because their NTP software is routinely revised “via updates or patches to their operating systems.” She says operating systems “will be issuing patches that protect against our attacks, and other members of the Network Time Foundation are likely to do so as well.”

Experts needing to test their servers can consult the Goldberg team’s website for instructions.

“It is very likely that your laptop uses NTP to synchronize its clock to a time server somewhere out on the internet,” says Goldberg. “The encryption protocols that protect the information sent from your web browser to your bank’s website, for example, depend strongly on the accuracy of your computer clocks.”

The Network Time Foundation “really appreciates the work of Sharon, Aanchal, and their team in finding these issues and reporting them responsibly,” says NTF founder and president Harlan Stenn. “NTF has very limited resources, so the work of BU and other research teams is helpful in finding issues.”

The most serious potential attack found by Goldberg’s team involves the “kiss-o’-death packet,” a message that would prevent a computer system from communicating with its time server, possibly for years, essentially turning off NTP on the victim system.

Goldberg received a $250,000 grant from the Silicon Valley Community Foundation in October 2015 to continue research on the security of the NTP. She and her team applied for the grant the previous March, when they began to enable various computers in their lab “to speak NTP to each other,” she says, “and started running various experiments with the kiss-o’-death packet.”

“Timeshifting” attacks, in which a computer system’s time settings are altered, took longer to develop, she says, “because NTP is actually quite a complex protocol that has evolved over time.”

Goldberg says her team followed the standard “responsible disclosure” guidelines for researchers who uncover software vulnerabilities. That means alerting affected parties to the vulnerability and giving them a prescribed time to patch the problem, after which the researcher publicizes her work. Goldberg sent Cisco an early draft of her team’s paper in August—she regularly briefs that firm on her research, she says, because it has funded her work and has hired several of her students—and the company was “instrumental in helping us coordinate the responsible disclosure of our research results.”

Goldberg’s work helps cement “BU’s presence in cybersecurity,” says Azer Bestavros, a CAS computer science professor and director of the Hariri Institute. “Sharon’s work often involves undergraduate students, and they get inspired by taking her courses, underscoring how excellence in research contributes significantly to the quality of teaching and experiential learning.”

A version of this article was originally published in BU Today.

Post Your Comment