security vulnerabilities in ieee-1588 (ptpv2)
TRANSCRIPT
John Houston [email protected]
Security Vulnerabilities in IEEE-1588 (PTPv2)
Marist College School of Computer Science and Mathematics
Poughkeepsie, NY 12601
Paul Wojciak [email protected]
Casimer DeCusatis [email protected]
William Kluge [email protected]
�1
!2Kluge, DeCusatis, Wojciak, Houston
What’s the damage?• Manipulated bank records • Incorrect access to posts • Falsified logs
!3Kluge, DeCusatis, Wojciak, Houston
PTP Environment
!4Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
!5Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
Real PTP Server
!6Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
Real PTP Server
Any server
!7Kluge, DeCusatis, Wojciak, Houston
PTP EnvironmentRoot privileges required
!8Kluge, DeCusatis, Wojciak, Houston
Rouge Slave Software
Python Scapy
!9Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Announce
INTERNAL_OSCILLATORATOMIC_CLOCK GPS …
Accuracy_Unknown Accurate to within 25 ns…
Grandmaster Slaves
!10Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Sync and Follow-up
Grandmaster Slaves
!11Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Delay Request
Grandmaster Slaves
PTP Packets - Delay Response
Grandmaster Slaves
PTP’s security does not look at these. They are only for timing.
!12Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Delay Request
Grandmaster Slaves
PTP Packets - Delay Response
Grandmaster Slaves
PTP’s security does not look at these. They are only for timing.
We verified this by spoofing the correct delays.
!13Kluge, DeCusatis, Wojciak, Houston
Typical PTP Interactions
Average Offset: -0.042 ns
Source IPDestination (multicast)
Sequence ID Message Type
!14Kluge, DeCusatis, Wojciak, Houston
Attacks ReviewedAnnounce Denial of Service (DoS)
Master Spoof
Atomic Master Takeover*
Spam announce packets at the slave.
Pretend to be the actual grandmaster and send fake data to slaves.
Fake the entire PTP Process as a clock with an atomic time source.
*E. Itkin and A Wool, “A security analysis and revised security extension for the precision time protocol” - same attack, different results
!15Kluge, DeCusatis, Wojciak, Houston
Announce DoS
Spoofed IP “Valid” Sequence IDs
Average Offset After Attack: -86.1 ms
Average Offset During Attack: 137.8 ms
!16Kluge, DeCusatis, Wojciak, Houston
Announce DoS - Graph
Most of aftermath comes from this
Does stabilize
!17Kluge, DeCusatis, Wojciak, Houston
Master Spoof
Sequence IDs mimic masterSpoofed IP
Average Offset After Attack: 1330.15 min
Average Offset During Attack: -23.83 min
!18Kluge, DeCusatis, Wojciak, Houston
Master Spoof - Graph
Unable to recover
!19Kluge, DeCusatis, Wojciak, Houston
The Disadvantage of DoS Style Attacks
Very obvious spikes and drops
!20Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover
Slave is communicating with fake master Full sync sequence
!21Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover - The Master Packet
Best time source
Extremely accurate
!22Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover - Graph
Average Offset After Attack: 148 ns
Average Offset During Attack: N/A Acts like packets are being dropped
!23Kluge, DeCusatis, Wojciak, Houston
• Works great in ideal conditions
• Vulnerable
• Even basic attacks destroy integrity
• Unreliable
• Not always able to recover
• Useless log output under stress
• No field verification
The Current State of PTP
!24Kluge, DeCusatis, Wojciak, Houston
Research to look forward to:
• Blank Packet DoS
• Directed Atomic Master Takeover
What’s next?