Timing and synchronization technologies are an important component of next generation infrastructure such as 5G and connected vehicle deployments. Stricter sync requirements put these technologies at risk of becoming dependent on GPS for their timing. This talk will explore how protection and integrity of synchronization mechanisms will become a cost of doing business across any connected industry.
Learning Objectives:
1: Understand the difference between naive GPS spoofing and advanced, targeted, spoofing.
2: Learn about the real threats of GPS spoofing across industries.
3: Understand the need to secure time and synchronization technologies.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
What Time Is It? How Manipulating “Now” Can Crash Our World
1. SESSION ID:
#RSAC
Michael Calabro
WHAT TIME IS IT?
HOW MANIPULATING "NOW" CAN
CRASH OUR WORLD
HTA-W12
Senior Lead Engineer
Booz Allen Hamilton
Calabro_Michael@bah.com
2. #RSAC
Why do we need SynchronizaHon?
2
Event ordering
Fairness in Race CondiHons
Security
Event Forensics
3. #RSAC
Time is Made Up
3
Physicists noted that some materials generate very stable reference
signals at predictable periods (cesium, rubidium)
If you count these periods …
The SI definiHon of a second is the Hme that elapses during
9,192,631,770 cycles of the radiaHon produced by the transiHon
between two levels of the cesium 133 atom.
5. #RSAC
Time Accuracy and Precision are DisHnct
5
Precise, Not Accurate
Precise & Accurate
Accurate, Not Precise
6. #RSAC
The Path of Time Transfer
6
Master Clock
00:00:00.000???
00:00:00.000000 +/- X +/- Y +/- Z
Delays are known or bounded
Time stamps are
transferred from that
source to end applicaHons
Time is
measured
at a source
7. #RSAC
Time Transfer and Time Sources are Different
7
GPS
NTP PTP
ApplicaHon
LTE
UTC(USNO)
U.S. Air
Force
PTRC
GPS
Rx
GPS
Rx
GPS
Rx
GPS
Rx
GPS
Rx
8. #RSAC
Financial Business Clock Time Sources
8
MulMple
Technologies,
40%
NTP, 27%
GPS, 6%
PTP, 6%
CDMA, 2%
Other
Technologies,
3%
Did Not Know ,
16%
(FROM 2017 SEC CLOCK SURVEY)
9. #RSAC
How Time is Transferred via GPS
9
Precise code phase alignment can give < 10 nanoseconds of precision
Distance (m) / Speed of Light (m/s) = Delay (Rule of Thumb: 1 e / ns)
0100110110101011010101110101Path Delay
RX
0100110110101011010101110101
SV Transmits known PN Sequence
GPS receiver generates local
copy and aligns it to transmi`ed
sequence
Precision of alignment
determines precision of Mme
delay calculaMon
10. #RSAC
GPS is Vulnerable to ManipulaHon
10
Data A`acks Repeaters or
Unsynchronized Spoofers
Code Phase Synchronous
Spoofers
Receivers and their applicaHons do math based
on broadcast parameters. Divide by zeros?
Overflows? Time might go backwards.
Time will jump around. Time may advance more or less quickly … but at
a high level, may appear accurate.
Broadcast by GPS
Algorithms from GPS SPS SpecificaMon
GPS Rx locks on to
dominate signal
GPS Rx locks on to dominate signal and
that signal is very close to the real signal
11. #RSAC
How GPS Time can be Subtly Spoofed
11
0100110110101011010101110101Path Delay
RX
0100110110101011010101110101
SV Transmits PN Sequence
Rx Generates local copy and
aligns it to transmi`ed
sequence
Precision of alignment
determines precision of Mme
delay calculaMon
Spoofer Near Matched Delay
0100110110101011010101110101
12. #RSAC
Review So Far
12
Time is “made up”
Time is Measured directly or Transferred
GPS is a common source of Hme across all applicaHons
Timing and SynchronizaHon requirements exist at a variety of levels
across applicaHons
So… What happens when Synch breaks down?
16. #RSAC
Some Scenarios – Financial Front Running
16
T = 0.000
T = 0.001
Buyer buys 1000000 shares of ABC
Seller sells 100000 shares of ABC
T = 0.002
T = 0.00000
T = 0.00010
Seller sells 100000 shares of ABC
T = 0.00035
Buyer buys 1000000 shares of ABC
T = 0.00200
Which ordering of events would you prefer? What if you could change your Hme stamp?
18. #RSAC
A Unique Set of Error CondiHons
18
On January 25th, 2016, during the reHrement of the last IIA satellite,
an error occurring in the GPS system causing many receivers that
used the UTC correcHon broadcast by the satellites to be ~13.7
microseconds deviant from truth
Global effect
Not all satellites broadcast erroneous data
Affected receivers needed to obtain their UTC offset from a bad
satellite – i.e. not all receivers with a common skyview would have
been affected
20. #RSAC
Effects (caused by an ~12 hour event)
20
Of ~80 NIST clocks monitoring event, only 11% were unaffected
Some high performance precision Hming receivers took 1+ day to
resynchronize to their previous levels of stability
Many precision Hming receivers entered into holdover (starHng a count
down hours to out-of-spec performance)
At least one telecommunicaHons backhaul provider reported that it was
necessary to manually reset affected precision Hming receivers
Some clocks located in telecom systems started to free run with no atomic
discipline or back up
Many organizaHons that should have been affected did not report any
impact (did they even know how close they came to major issues?)
21. #RSAC
It is Really Hard to Get Away from GPS…
21
Timing Source GPS Dependent Scale Availability Comments
GNSS Yes < 100 ns Global
Not appropriate for all
environments; may be denied
GSM NTIZ Yes ~1s Regional
CDMA2000 Sync Yes 1 ms Regional
LTE R11+ SIB 16 Yes 10 ms
Not widely deployed. 10 ms may
not be sufficiently precise.
Iridium Time
(Satelles)
Yes < 500 ns Global
Paid Service; May have higher
availability than GNSS
eLoran Yes < 100 ns
Europe, Asia,
Middle East
Not available in the US
22. #RSAC
Upcoming 5G and IoT Sync Requirements
22
Edge of network sync in in TDD LTE is ~ 1 microsecond; 5G proposes
to aggressively push this down – thereby increasing dependency on
synch
SynchronizaHon requirements between cloud processes and events
will become stricter
IoT will need ways to synch local devices
23. #RSAC
OrganizaHons that are working on this
23
ATIS SynchronizaHon Commi{ee
Resilient NavigaHon & Timing FoundaHon
Network Time FoundaHon
North American Synchrophasor IniHaHve (NASPI)
NaHonal Space-Based PNT Advisory Board and PNT ExecuHve
Commi{ee
24. #RSAC
Conclusions
24
GPS remains the most convenient source of Hme transfer and is the
only technology capable of meeHng upcoming synchronizaHon
requirements efficiently
2017 and 2018 are seeing many new synchronizaHon applicaHons
being deployed across telecom, finance, transportaHon, and
Sync needs to be done securely and deliberately
Secure SynchronizaHons SoluHons exist today; advocacy is needed at
a naHonal level for an alternaHve system to GPS
25. #RSAC
Selected References
25
NIST Report on January 2016 Outage
h{ps://}.nist.gov/general/pdf/2886.pdf
SEC Clock Survey
h{ps://www.sec.gov/divisions/marketreg/consolidated-audit-trail-clock-synchronizaHon-assessment-051517.pdf
NASPI
h{ps://www.naspi.org/sites/default/files/reference_documents/ts}_electric_power_system_report_pnnl_26331_march_2017_0.pdf
26. #RSAC
Apply What You Have Learned Today
26
Next week you should:
IdenHfy synchronizaHon dependent applicaHons within your organizaHon
In the first three months following this presentaHon you should:
Understand where these sync-dependent applicaHons get their Hme from and
their corresponding tolerances for failure
Within six months you should:
Understand how to a{ribute system failures to synchronizaHon outages
“Protect, Toughen, and Augment” your Timing Sources and Sync Methods
Michael Calabro
Calabro_Michael@bah.com