security vulnerabilities in ieee-1588 (ptpv2)

John Houston jhouston@us.ibm.com

Security Vulnerabilities in IEEE-1588 (PTPv2)

Marist College School of Computer Science and Mathematics

Poughkeepsie, NY 12601

Paul Wojciak wojciak@us.ibm.com

Casimer DeCusatis Casimer.DeCusatis@Marist.edu

William Kluge William.Kluge1@marist.edu

�1

!2Kluge, DeCusatis, Wojciak, Houston

What’s the damage?• Manipulated bank records • Incorrect access to posts • Falsified logs

!3Kluge, DeCusatis, Wojciak, Houston

PTP Environment

!4Kluge, DeCusatis, Wojciak, Houston

PTP Environment

Real PTP Server

!5Kluge, DeCusatis, Wojciak, Houston

PTP Environment

Real PTP Server

Real PTP Server

!6Kluge, DeCusatis, Wojciak, Houston

PTP Environment

Real PTP Server

Real PTP Server

Any server

!7Kluge, DeCusatis, Wojciak, Houston

PTP EnvironmentRoot privileges required

!8Kluge, DeCusatis, Wojciak, Houston

Rouge Slave Software

Python Scapy

!9Kluge, DeCusatis, Wojciak, Houston

PTP Packets - Announce

INTERNAL_OSCILLATORATOMIC_CLOCK GPS …

Accuracy_Unknown Accurate to within 25 ns…

Grandmaster Slaves

!10Kluge, DeCusatis, Wojciak, Houston

PTP Packets - Sync and Follow-up

Grandmaster Slaves

!11Kluge, DeCusatis, Wojciak, Houston

PTP Packets - Delay Request

Grandmaster Slaves

PTP Packets - Delay Response

Grandmaster Slaves

PTP’s security does not look at these. They are only for timing.

!12Kluge, DeCusatis, Wojciak, Houston

PTP Packets - Delay Request

Grandmaster Slaves

PTP Packets - Delay Response

Grandmaster Slaves

PTP’s security does not look at these. They are only for timing.

We verified this by spoofing the correct delays.

!13Kluge, DeCusatis, Wojciak, Houston

Typical PTP Interactions

Average Offset: -0.042 ns

Source IPDestination (multicast)

Sequence ID Message Type

!14Kluge, DeCusatis, Wojciak, Houston

Attacks ReviewedAnnounce Denial of Service (DoS)

Master Spoof

Atomic Master Takeover*

Spam announce packets at the slave.

Pretend to be the actual grandmaster and send fake data to slaves.

Fake the entire PTP Process as a clock with an atomic time source.

*E. Itkin and A Wool, “A security analysis and revised security extension for the precision time protocol” - same attack, different results

!15Kluge, DeCusatis, Wojciak, Houston

Announce DoS

Spoofed IP “Valid” Sequence IDs

Average Offset After Attack: -86.1 ms

Average Offset During Attack: 137.8 ms

!16Kluge, DeCusatis, Wojciak, Houston

Announce DoS - Graph

Most of aftermath comes from this

Does stabilize

!17Kluge, DeCusatis, Wojciak, Houston

Master Spoof

Sequence IDs mimic masterSpoofed IP

Average Offset After Attack: 1330.15 min

Average Offset During Attack: -23.83 min

!18Kluge, DeCusatis, Wojciak, Houston

Master Spoof - Graph

Unable to recover

!19Kluge, DeCusatis, Wojciak, Houston

The Disadvantage of DoS Style Attacks

Very obvious spikes and drops

!20Kluge, DeCusatis, Wojciak, Houston

Atomic Master Takeover

Slave is communicating with fake master Full sync sequence

!21Kluge, DeCusatis, Wojciak, Houston

Atomic Master Takeover - The Master Packet

Best time source

Extremely accurate

!22Kluge, DeCusatis, Wojciak, Houston

Atomic Master Takeover - Graph

Average Offset After Attack: 148 ns

Average Offset During Attack: N/A Acts like packets are being dropped

!23Kluge, DeCusatis, Wojciak, Houston

• Works great in ideal conditions

• Vulnerable

• Even basic attacks destroy integrity

• Unreliable

• Not always able to recover

• Useless log output under stress

• No field verification

The Current State of PTP

!24Kluge, DeCusatis, Wojciak, Houston

Research to look forward to:

• Blank Packet DoS

• Directed Atomic Master Takeover

What’s next?