It all in the timing.

What do a Jerry Seinfeld quip and an internet packet have in common? They both rely on precise timing for their delivery. Feel free to substitute Seinfeld with your favorite comedian and an internet packet with a cell phone call, data session, GPS navigation, encrypted transmission decryption, token authentication, and much more.

We recently experienced what is becoming known as the “Crowdstrike Moment,” and if you fly Delta, you might still be dealing with it. Such outages can occur on various levels, ranging from a bricked device to internet or intranet denial. We access the internet through multiple means, including fixed networks and mobile systems. Regardless of the method, they all rely on synchronization from an external timing source, which can become our Achilles’ heel. This article explores our reliance on GPS for the precise timing needed to maintain the confidentiality, integrity, and availability (sound familiar?) of our data and why GPS should always be considered part of our cybersecurity supply chain. And after all, who needs one of the best EDR solution providers to brick your endpoints when an adversary can go one step further and brick the whole internet?

Quality or Lack of Service

Digital networks require precise synchronization to coordinate data transmission. Internet routers and switches must be synchronized to manage high data traffic volumes efficiently. Without this synchronization, devices cannot maintain accurate timing for sending and receiving data packets, leading to bottlenecks and data loss. Both internet service providers and mobile networks involve multiple components that must work in sync to provide not just quality service, but THE service.

When systems fall out of sync, mobile users experience dropped calls, buffering during streaming, delayed or failed transactions, and more. Cellular networks use GPS timing to synchronize operations, ensuring smooth handoffs as users move between cell sites. This synchronization is crucial for maintaining call and data session continuity. Advanced 4G and 5G networks require even more precise timing due to their higher data rates and complex protocols. Desynchronization can lead to data packet collisions and retransmissions, reducing network efficiency and speed—or worse, affecting the network’s availability.

Positioning, Navigation, and Timing (PNT)

To understand the relationship between GPS, synchronization, and cybersecurity, we must first define PNT (Positioning, Navigation, and Timing). PNT encompasses three key capabilities:

Positioning: Precisely determining the location and orientation of an asset in two or three dimensions.

Navigation: Knowing the current and desired positions (relative or absolute) and applying corrections to course, orientation, and speed to reach the desired position.

Timing: Acquiring and maintaining accurate and precise time and timing signals.

Timing is critical; precise timing signals allow GPS receivers to determine their absolute and relative positions and the exact time. This synchronization underpins the entire system, ensuring accurate and reliable data flow through all systems.

GPS, PNT, NTP and CIA

How can an adversary hurt us by attacking PNT? One way is through a Network Time Protocol (NTP) attack. NTP is a protocol used to synchronize the clocks of computers and system components to within milliseconds of Coordinated Universal Time (UTC). It operates through a hierarchical system of time sources, known as strata, with stratum zero at the top, consisting of highly accurate timekeeping devices like atomic and GPS clocks. Each GPS satellite carries three atomic clocks to enable precise positioning of GPS receivers and to send precise timing signals to receivers in data centers and cloud facilities.

NTP servers provide the precise timing signals our networks need to ensure all devices operate on the same time standard. This is crucial for logging events, securing communications, and managing data packet flow, ensuring they are sent and received in the correct order. Precise timing is also essential for cryptographic protocols, which often rely on time-based keys and tokens. Synchronization helps prevent replay attacks, where an attacker intercepts and retransmits a data packet to deceive the receiver. NTP servers often synchronize with GPS to ensure their timing is accurate, using the atomic clocks onboard these GPS satellites.

Taking Your Time

However, there are challenges. First, NTP vulnerabilities, and secondly, the integrity of GPS itself, which is already a concern in the community. NTP can be vulnerable to cyberattacks, and understanding these threats is crucial for maintaining the integrity and security of systems that rely on precise time synchronization. There are several types of NTP attacks:

NTP Amplification Attacks: These exploit the NTP protocol to generate amplified traffic. A small request to an NTP server can generate a large response, which is directed at a target, overwhelming its network, and severely disrupting services by flooding the target’s network with traffic, similar to a DDoS attack.

Time-Spoofing Attacks: These occur when attackers manipulate NTP responses to provide incorrect time information. Attackers intercept and alter NTP traffic, changing the system time. This disrupts logging, authentication protocols, time-sensitive transactions, synchronization, and more, leading to broader security vulnerabilities.

NTP Reflection Attacks: These are similar to amplification attacks but focus on reflecting responses to a target. Attackers send forged requests with the target’s IP address, causing NTP servers to flood the target with responses. This degrades or disables network performance for the victim, causing operational disruptions.

To protect against or mitigate these threats, secure configuration and applying authentication mechanisms to the NTP server of choice will greatly reduce NTP vulnerabilities. However, time spoofing remains a significant concern; altering the time is an integrity attack and can be highly disruptive.

GPS Under Attack

The increasing frequency of attacks on GPS signals has been highlighted over several months by my colleague in the industry, Dana A. Goward, FRIN, President of the Resilient Navigation & Timing Foundation. In his LinkedIn posts and letters to the United States Government, Dana draws attention to the ease with which adversaries can not only jam but also spoof GPS signals. Spoofing a GPS signal can wrongly place a person or an asset in a different location or at the wrong time. This compromises Stratum 0 and, consequently, the victim’s internet and mobile service. This does not just cause business and daily life interruptions but also poses significant safety risks, particularly when we consider EMT, air and sea travel. The “CrowdStrike Moment” pales in comparison to what may transpire if GPS on a broad scale were compromised- at least we still had the internet and GPS when CrowdStrike updates bricked our endpoints!

A recent article from World Cargo News identifies PNT as essential to maritime operations, which is involved in 95% of international trade. PNT is also crucial for the smooth functioning of modern ports, illustrating our reliance on GPS and its services for all commerce.

PNT is Cyber- it is!

We MUST recognize PNT as a cyber issue in every domain. Nearly two years ago, Dana voiced his concern in a letter to the Deputy Homeland Security Advisor for Resilience & Response and the Acting National Cyber Director. He affirmed that US Government PNT policy is a national cybersecurity risk, with most of the burden placed on users. Dana recommended that federal networks and applications access multiple sources of timing, one of which must be authenticated and as independent of GPS timing signals as possible. He also suggested a national wireless and / or broadcast method as part of a National Time Architecture for sync with the ability to authenticate and continuously verify GPS-based information.

In Summary

We should consider our timing signals and their sources as integral parts of our cyber supply chain. We must review and assess all configurations in all system assets, consider potential operational scenarios and compensating measures in the event of a PNT/NTP attack. Now there’s some comedy for us all and a great tabletop exercise scenario!

Thanks to Dana A. Goward, FRIN for his support and guidance in writing this. Stephen M Dye is Principal at UpliftCyber- a small cyber security consultancy aimed at providing cyber security support services to SMBs. Stephen published his first book about GPS and how it works in 1997, and pioneered the use of GPS and GSM SMS texting for asset tracking in the USA.

LINK TO POST IN LINKEDIN