When Liza Minnelli sang that famous tune, “Money makes the world go around,” she should have added one more word: time. Time makes the world go around. It’s that one agreed-upon part of life that the world shares. From laptops to phones to wall clocks to just about every other technology, time is everywhere, controlling our important life responsibilities. In cybersecurity, time is also critical. Event log files rely on time. Forensic investigations rely on time. Networks rely on time. In fact, Network Time Protocol (NTP) is one of the oldest internet protocols still in use.

So, imagine the impact if an attacker were to manipulate time. That’s the question our X-Force Red Global Hardware Hacking Lead Adam Laurie is diving into for his upcoming Black Hat Europe keynote presentation. I spoke to him ahead of his talk to get a better sense of what it will cover.

Abby: Thank you, Adam, for taking the time (wink, wink) to chat with me. This topic is unique. Why did you choose to explore it further?

Adam: Abby, everything relies on accurate timing. Transactions rely on time. Blockchain relies on time. Communication protocols and systems can’t operate without synchronized clocks because they use time windows for transmissions. If clocks are skewed, the transmissions will bump into each other and the whole thing breaks down. Time is at the center of our most important activities, which is why I thought it would be interesting to see how an attacker could manipulate time, and the type of impact it would have from a cybersecurity perspective.

Abby: Which cybersecurity processes do you think would be most impacted by an attacker skewing time?

Adam: Initially, I had thought that forensic investigations might be some of the biggest ones. When you investigate an incident, you look through the event logs within a certain time window to put the pieces together on when unusual activity occurred. For example, if an incident happened on a Thursday night, you might look through the events that took place the week prior to see if you could spot unusual activity. Now let’s say an attacker skewed the clocks so all the activity got incorrectly logged as occurring many days or weeks before it. You would never see the events that were logged before the incident really occurred, and, in some cases, may not even realize you were looking at entirely the wrong window of time. However, the more I looked at this the more I realized that real-time issues are far greater and more challenging to resolve.

Abby: What are some ways that criminals could ‘attack’ real time?

Adam: Accurate time derived from atomic clocks gets distributed in various ways, the main ones being network (NTP), satellite (GPS), RF (MSF/DCF/WWV, etc.) and GSM. If one looks skewed, I can still rely on two or more of the others, looking for consensus that indicates they are still in sync and accurate. But what if a criminal could attack a majority? They could sit outside your building and manipulate the satellite clock by spoofing or jamming the very weak radio signals, which would then mess up your GPS clocks. You can do the same for RF clocks. What is the response to that? Is there any defense against that?

The problem is that there is currently no way to identify a ‘real’ time signal from a spoofed one. In the U.K., we have a system called MSF which is an RF signal transmitted by the National Physical Laboratory that can be received anywhere in the U.K. Other countries have their own variants. The transmitter is connected to an atomic clock, but it’s just beeps and boops. Nothing validates the signal. There is no handshake. It’s a one-way broadcast transmission. If I sit outside your facility and override that signal, I can make your RF clock show any time I like and if that clock feeds into your local network time via your own ‘secure’ NTP server then I’ve potentially altered your vision of ‘correct’ time.

Abby: What can happen if we don’t secure time?

Adam: In the worst-case scenario, a bad actor could executive a massive denial-of-service (DOS) attack against our banking, telecommunications and other vital systems.

Abby: I would imagine securing time isn’t a new concept? Why haven’t we seen more presentations and discussions about it?

Adam: There have been previous attempts to work around this problem by adding encryption and/or authentication to NTP itself, but there were issues with scalability and implementation. Surprisingly, securing NTP properly, from an RFC (Request for Comments) standpoint is a relatively new occurrence. RFC is the system by which the Internet agrees on standards. If you needed to know how a protocol works, for example, you would view the RFC, and work forward from there. It shows how the protocol and parameters were agreed upon. The first RFC for NTP was back in the early eighties, but the secure time (NTS) RFC was only published in 2020, so it is pretty new.

Abby: Thank you, Adam. If you want to learn more about the potential threats against time and how it can be better secured, watch Adam’s keynote at Black Hat Europe! Details can be found here.

Learn more about X-Force Red and our offensive security services here.

More from Offensive Security

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

Abusing MLOps platforms to compromise ML models and enterprise data lakes

15 min read - For full details on this research, see the X-Force Red whitepaper “Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes”.Machine learning operations (MLOps) platforms are used by enterprises of all sizes to develop, train, deploy and monitor large language models (LLMs) and other foundation models (FMs), as well as the generative AI (gen AI) applications built on top of these models. The rush to leverage AI throughout enterprises has meant that security has been often…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today