security vulnerabilities in ieee-1588 (ptpv2)
TRANSCRIPT
![Page 1: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/1.jpg)
John Houston [email protected]
Security Vulnerabilities in IEEE-1588 (PTPv2)
Marist College School of Computer Science and Mathematics
Poughkeepsie, NY 12601
Paul Wojciak [email protected]
Casimer DeCusatis [email protected]
William Kluge [email protected]
�1
![Page 2: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/2.jpg)
!2Kluge, DeCusatis, Wojciak, Houston
What’s the damage?• Manipulated bank records • Incorrect access to posts • Falsified logs
![Page 3: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/3.jpg)
!3Kluge, DeCusatis, Wojciak, Houston
PTP Environment
![Page 4: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/4.jpg)
!4Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
![Page 5: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/5.jpg)
!5Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
Real PTP Server
![Page 6: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/6.jpg)
!6Kluge, DeCusatis, Wojciak, Houston
PTP Environment
Real PTP Server
Real PTP Server
Any server
![Page 7: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/7.jpg)
!7Kluge, DeCusatis, Wojciak, Houston
PTP EnvironmentRoot privileges required
![Page 8: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/8.jpg)
!8Kluge, DeCusatis, Wojciak, Houston
Rouge Slave Software
Python Scapy
![Page 9: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/9.jpg)
!9Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Announce
INTERNAL_OSCILLATORATOMIC_CLOCK GPS …
Accuracy_Unknown Accurate to within 25 ns…
Grandmaster Slaves
![Page 10: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/10.jpg)
!10Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Sync and Follow-up
Grandmaster Slaves
![Page 11: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/11.jpg)
!11Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Delay Request
Grandmaster Slaves
PTP Packets - Delay Response
Grandmaster Slaves
PTP’s security does not look at these. They are only for timing.
![Page 12: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/12.jpg)
!12Kluge, DeCusatis, Wojciak, Houston
PTP Packets - Delay Request
Grandmaster Slaves
PTP Packets - Delay Response
Grandmaster Slaves
PTP’s security does not look at these. They are only for timing.
We verified this by spoofing the correct delays.
![Page 13: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/13.jpg)
!13Kluge, DeCusatis, Wojciak, Houston
Typical PTP Interactions
Average Offset: -0.042 ns
Source IPDestination (multicast)
Sequence ID Message Type
![Page 14: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/14.jpg)
!14Kluge, DeCusatis, Wojciak, Houston
Attacks ReviewedAnnounce Denial of Service (DoS)
Master Spoof
Atomic Master Takeover*
Spam announce packets at the slave.
Pretend to be the actual grandmaster and send fake data to slaves.
Fake the entire PTP Process as a clock with an atomic time source.
*E. Itkin and A Wool, “A security analysis and revised security extension for the precision time protocol” - same attack, different results
![Page 15: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/15.jpg)
!15Kluge, DeCusatis, Wojciak, Houston
Announce DoS
Spoofed IP “Valid” Sequence IDs
Average Offset After Attack: -86.1 ms
Average Offset During Attack: 137.8 ms
![Page 16: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/16.jpg)
!16Kluge, DeCusatis, Wojciak, Houston
Announce DoS - Graph
Most of aftermath comes from this
Does stabilize
![Page 17: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/17.jpg)
!17Kluge, DeCusatis, Wojciak, Houston
Master Spoof
Sequence IDs mimic masterSpoofed IP
Average Offset After Attack: 1330.15 min
Average Offset During Attack: -23.83 min
![Page 18: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/18.jpg)
!18Kluge, DeCusatis, Wojciak, Houston
Master Spoof - Graph
Unable to recover
![Page 19: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/19.jpg)
!19Kluge, DeCusatis, Wojciak, Houston
The Disadvantage of DoS Style Attacks
Very obvious spikes and drops
![Page 20: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/20.jpg)
!20Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover
Slave is communicating with fake master Full sync sequence
![Page 21: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/21.jpg)
!21Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover - The Master Packet
Best time source
Extremely accurate
![Page 22: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/22.jpg)
!22Kluge, DeCusatis, Wojciak, Houston
Atomic Master Takeover - Graph
Average Offset After Attack: 148 ns
Average Offset During Attack: N/A Acts like packets are being dropped
![Page 23: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/23.jpg)
!23Kluge, DeCusatis, Wojciak, Houston
• Works great in ideal conditions
• Vulnerable
• Even basic attacks destroy integrity
• Unreliable
• Not always able to recover
• Useless log output under stress
• No field verification
The Current State of PTP
![Page 24: Security Vulnerabilities in IEEE-1588 (PTPv2)](https://reader034.vdocuments.us/reader034/viewer/2022042421/6260bd55d610fb70cf3865c6/html5/thumbnails/24.jpg)
!24Kluge, DeCusatis, Wojciak, Houston
Research to look forward to:
• Blank Packet DoS
• Directed Atomic Master Takeover
What’s next?