The first form of attack that the researchers developed relies on the packets of data sent across the network that are used to establish the master-slave hierarchy. To identify a master clock, each node sends out a time-stamped ANNOUNCE data packet, and the clock with the best quality is selected to be the master. The master then multicasts its timestamp to all slave nodes via a SYNC message, which is sent to all nodes on a periodic basis.
The researchers were able to infiltrate the network by “sniffing” out the ANNOUNCE and SYNC packets of the legitimate master clock. Next, they created a rogue master clock that creates the same ANNOUNCE and SYNC messages—which then sent an onslaught of 292 such packets per second to the slave clock, overwhelming it. This is known as a denial of service attack.
“This attack was very effective at generating incorrect timing values,” says Casimer DeCusatis, a research at Marist College involved in the study. “It took only 37 seconds, including time to sniff packets, for the slave timing offset and slave clock frequency to change by 30 seconds or more… The maximum offset we observed in all our testing from this type of attack was over 48 years.”
He notes that the slave was unable to recover from this kind of attack, even when the researchers left the network running for more than an hour after the attack ended. DeCusatis says, “Since many applications will be disrupted by much smaller discrepancies in timing, this attack can significantly impact the PTP network.”
What’s worrisome is that this type of attack would be fairly easy to execute. DeCusatis points out that it wasn’t necessary to know the clock ID or IP address of the slave, and it wasn’t necessary to disrupt communication between the grand master and the target slave. He says the code used to send the fake packets can easily fit on a USB key.
In a more complicated approach, the team shows it’s also possible to hack a PTP network by creating an evil twin of the master clock that can take control over the timing network.
DeCusatis says there are several ways to address these issues. One example is by constructing the master clock ID from its network ID and then creating a way in which slaves can verify the master’s network address. Another suggestion he offers involves giving a unique ID to each packet, which the slave could verify.