[time-nuts] Time security query

Hal Murray hmurray at megapathdsl.net
Mon Aug 24 20:01:46 UTC 2009 

bill at iaxs.net said:
> These time stamps are required by government regulations in some
> industries.

Do you have a list of the industries and/or regulations and/or what they 
require?

I know about the stock market.  (That is, I know there are requirements but I 
don't know the details.)

In terms of control systems, what level of accuracy do they need?  How much 
of the problem is legal vs technical?  What happens if the GPS/clock breaks?  
Do they shut down a power plant?


> Spoofing the time from a remote location seems impossible. Or is it
> just difficult?

I don't think it would be hard for a well funded bad guy.  The normal signal 
levels are very weak so it shouldn't be hard to overpower them.  I've seen 
GPS test sets advertised.  Why would it be hard to put an antenna on one and 
overpower the real signals from blocks or miles away?


> So, what are the threats to a GPS time receiver? Jamming is possible,
> or just overloading the receiver, but the receiver goes into holdover
> mode and keeps on ticking with the disciplined oscillator. This does
> little damage compared with jamming the transmissions of wireless
> sensors.

The receiver only goes into holdover if you have an expensive (relatively) 
box that is intended to provide holdover.  Cheap consumer GPS gear doesn't do 
that.

One threat is software bugs, both in the GPS device and in OS time keeping 
software.

I've seen low cost GPS units be off by a second.  I've seen it often enough 
that it's no longer surprising.  (I'll try to fish out some log files if you 
need real data.)  I think they usually happen right after recovering from a 
too-weak signal.  Normally they don't last long, but I think I have one 
sample that lasted long enough to be interesting.

I assume you are familiar with ntp.  It's got a collection of heuristics for 
ignoring buggy clocks/systems.  If you are trying to avoid software bugs you 
want diversity in the collection of clocks/systems you are using.

Don't forget leap seconds.
 


Time is doubly interesting for overall security since the security aspects of 
many other network protocols depend upon correct time.  Do you want to go 
down that rathole?



-- 
These are my opinions, not necessarily my employer's.  I hate spam.

More information about the time-nuts mailing list