research-article

White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones

Authors:
Shinjo Park

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany
View Profile

,
Altaf Shaik

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany
View Profile

,
Ravishankar Borgaonkar

Oxford University, London, United Kingdom

Oxford University, London, United Kingdom
View Profile

,
Jean-Pierre Seifert

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany

Technische Universität Berlin / Telekom Innovation Laboratories, Berlin, Germany
View Profile

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile DevicesOctober 2016Pages 13–21https://doi.org/10.1145/2994459.2994465

Published:24 October 2016Publication History

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Pages 13–21

ABSTRACT

With its high penetration rate and relatively good clock accuracy, smartphones are replacing watches in several market segments. Modern smartphones have more than one clock source to complement each other: NITZ (Network Identity and Time Zone), NTP (Network Time Protocol), and GNSS (Global Navigation Satellite System) including GPS. NITZ information is delivered by the cellular core network, indicating the network name and clock information. NTP provides a facility to synchronize the clock with a time server. Among these clock sources, only NITZ and NTP are updated without user interaction, as location services require manual activation. In this paper, we analyze security aspects of these clock sources and their impact on security features of modern smartphones. In particular, we investigate NITZ and NTP procedures over cellular networks (2G, 3G and 4G) and Wi-Fi communication respectively. Furthermore, we analyze several European, Asian, and American cellular networks from NITZ perspective. We identify three classes of vulnerabilities: specification issues in a cellular protocol, configurational issues in cellular network deployments, and implementation issues in different mobile OS's. We demonstrate how an attacker with low cost setup can spoof NITZ and NTP messages to cause Denial of Service attacks. Finally, we propose methods for securely synchronizing the clock on smartphones.

References

Carrier.plist - The iPhone Wiki. https://www.theiphonewiki.com/wiki/Carrier.plist.Google Scholar
Issue 16899: Year 2038 problem - Android Open Source Project Issue Tracker. https://code.google.com/p/android/issues/detail?id=16899.Google Scholar
pool.ntp.org project : the internet cluster of ntp servers. http://www.pool.ntp.org/en/.Google Scholar
The iPhone Apocalypse: January 19, 2038 - MacRumors Forums. http://forums.macrumors.com/threads/the-iphone-apocalypse-january-19--2038.1943912/.Google Scholar
CVE-2016--3831. Available from MITRE, CVE-ID CVE-2016--3831., 2016.Google Scholar
3GPP. 3G security; Security architecture. TS 33.102, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. 3GPP System Architecture Evolution (SAE); Security architecture. TS 33.401, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. Digital cellular telecommunications system (Phase 2+); Security aspects. TS 42.009, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. Mobile radio interface Layer 3 specification; Core network protocols; Stage 3. TS 24.008, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. Network Identity and TimeZone (NITZ); Service description; Stage 1. TS 22.042, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. TS 24.301, 3rd Generation Partnership Project (3GPP).Google Scholar
3GPP. Technical realization of the Short Message Service (SMS). TS 23.040, 3rd Generation Partnership Project (3GPP).Google Scholar
B. Alecu. SMS Fuzzing - SIM Toolkit Attack. DEF CON 21, 2013.Google Scholar
AndroidCentral.com. Automatic time zone and date/clock are wrong. http://forums.androidcentral.com/htc-one-m7/291916-automatic-time-zone-date-clock-wrong.html.Google Scholar
Apple Inc. Major 64-Bit Changes - iOS Developer Library. https://developer.apple.com/library/ios/documentation/General/Conceptual/CocoaTouch64BitGuide/Major64-BitChanges/Major64-BitChanges.html.Google Scholar
Apple Inc. Using Network Securely - iOS Developer Library. https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html.Google Scholar
Apple Support. If you changed the date to May 1970 or earlier and can't restart your iPhone, iPad, or iPod touch. https://support.apple.com/en-us/HT205248.Google Scholar
BlackBerry Limited. Clock and timer services - Native SDK for BlackBerry 10. https://developer.blackberry.com/native/documentation/dev/rtos/arch/kernel_clockandtimer.html.Google Scholar
BlackBerry Limited. When traveling between time zones the BlackBerry smartphone does not automatically update to local time. http://support.blackberry.com/kb/articleDetail?ArticleNumber=000010323.Google Scholar
R. Borgaonkar, K. Redon, and J.-P. Seifert. Security analysis of a femtocell device. In Proceedings of the 4th International Conference on Security of Information and Networks, SIN '11, pages 95--102, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Bruce Perens et al. BusyBox. https://busybox.net/about.html.Google Scholar
Cinterion Wireless Modules. BGS2-E AT Command Specification.Google Scholar
J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC '14. ACM, 2014. Google ScholarDigital Library
B. Dowling, D. Stebila, and G. Zaverucha. Authenticated network time synchronization. IACR Cryptology ePrint Archive, 2015:171, 2015.Google Scholar
D. Goodin. New DoS attacks taking down game sites deliver crippling 100Gbps floods. http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-floods/.Google Scholar
Google Inc. Android Security Bulletin--August 2016. https://source.android.com/security/bulletin/2016-08-01.html.Google Scholar
Google Inc. config.xml. https://android.googlesource.com/platform/frameworks/base/master/core/res/res/values/config.xml.Google Scholar
Google Inc. GsmServiceStateTracker.java. https://android.googlesource.com/platform/frameworks/opt/telephony/master/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java.Google Scholar
Google Inc. NetworkTimeUpdateService.java. https://android.googlesource.com/platform/frameworks/base.git/master/services/core/java/com/android/server/NetworkTimeUpdateService.java.Google Scholar
Google Inc. Security with HTTPS and SSL - Android Developers. http://developer.android.com/training/articles/security-ssl.html.Google Scholar
GSMA. Official Document IR.92 - IMS Profile for Voice and SMS.Google Scholar
P. Kelley and M. Harrigan. iOS 1970 Vulnerability Leads to Remote Bricking of Phones Over The Air. https://www.youtube.com/watch?v=zivWTwOjEME.Google Scholar
J. Klein. Becoming a Time Lord: Implications of Attacking Time Sources. Shmoocon FireTalks 2013, 2013.Google Scholar
D. F. Kune, J. Kölndorfer, N. Hopper, and Y. Kim. Location leaks over the GSM air interface. 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5--8, 2012, 2012.Google Scholar
A. Malhotra, I. E. Cohen, E. Brakke, and S. Goldberg. Attacking the Network Time Protocol. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, 2016.Google Scholar
Microsoft. EnableAutomaticTime - Windows 10 hardware dev. https://msdn.microsoft.com/en-us/library/windows/hardware/mt502640(v=vs.85).aspx.Google Scholar
Microsoft. FILETIME structure - Windows Dev Center. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx.Google Scholar
Microsoft. NTPEnabled - Windows 10 hardware dev. https://msdn.microsoft.com/en-us/library/windows/hardware/mt157027(v=vs.85).aspx.Google Scholar
Microsoft. SYSTEMTIME structure - Windows Dev Center. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724950%28v=vs.85%29.aspx.Google Scholar
D. Mills. Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305 (Draft Standard), Mar. 1992. Obsoleted by RFC 5905. Google ScholarDigital Library
D. Mills, J. Martin, J. Burbank, and W. Kasch. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (Proposed Standard), June 2010.Google Scholar
C. Mulliner, N. Golde, and J.-P. Seifert. SMS of Death: from analyzing to attacking mobile phones on a large scale. USENIX Security, 2011. Google ScholarDigital Library
S. Musil. Smartwatches now more popular than Swiss watches, thanks to Apple. CNET, 2016.Google Scholar
National Institute of Standards and Technology. The NIST Authenticated NTP Service. http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm.Google Scholar
Naval Meteorology and Oceanography Command. Authenticated NTP - DoD Customers. http://www.usno.navy.mil/USNO/time/ntp/dod-customers.Google Scholar
M. Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/.Google Scholar
Range Networks. OpenBTS. http://openbts.org/.Google Scholar
Range Networks. OpenBTS-UMTS. http://openbts.org/w/index.php?title=OpenBTS-UMTS.Google Scholar
S. Röttger. Finding and exploiting ntpd vulnerabilities. http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html.Google Scholar
Samsung. Mobile Enterprise Security -- Samsung Knox. https://www.samsungknox.com/en.Google Scholar
A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23rd Annual Network and Distributed System Security Symposium, NDSS San Diego, California, USA, February 21--24, 2016, 2016.Google ScholarCross Ref
Shao Hang Kao. Bug 874771 - Implement SNTP support (Gecko end). https://hg.mozilla.org/mozilla-central/rev/fb5ba2a8e039.Google Scholar
Z. Straley. Don't set your iPhone's date to January 1, 1970! The fastest trick to BRICK an iPhone! https://www.youtube.com/watch?v=fY-ahR1R6IE.Google Scholar
N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun. On the Requirements for Successful GPS Spoofing Attacks. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, 2011. Google ScholarDigital Library
R.-P. Weinmann. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. USENIX Workshop on Offensive Technologies, 2012. Google ScholarDigital Library
B. Wojtowicz. OpenLTE. https://sourceforge.net/projects/openlte/.Google Scholar
Y. Zheng and H. Shan. Time is On My Side: Forging a Wireless Time Signal to Attack NTP Servers. HITB 2016 Amsterdam, 2016.Google Scholar

Index Terms

White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones
1. Security and privacy
  1. Network security
    1. Denial-of-service attacks
    2. Mobile and wireless security
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

A Hybrid Approach for Synchronizing Clocks in Distributed Systems
Cloud Computing – CLOUD 2019
Abstract
The art of synchronizing clocks across a wide area network has got a new dimension when it comes to the reality of achieving the demand for high-accuracy synchronization; even for local or small computing systems. Before implementing any clock ...
Read More
RFC 4330: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
Read More
Analyses of ping-pong handovers in real 4G telecommunication networks
Abstract
The last decade has been characterized by a rapid increase in the usage of mobile communications. One of the main aspects of mobile communications is mobility. This means that mobile phones have to switch between base station cells in order to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices
October 2016
130 pages
ISBN:9781450345644
DOI:10.1145/2994459
Program Chairs:
Long Lu
Stony Brook University
,
Mohammad Mannan
Concordia University
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
NTP
baseband
cellular network
clock
nitz
timekeeping
Qualifiers
- research-article
Conference

Acceptance Rates
SPSM '16 Paper Acceptance Rate13of31submissions,42%Overall Acceptance Rate46of139submissions,33%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 335
  Total Downloads
- Downloads (Last 12 months)18
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Hybrid Approach for Synchronizing Clocks in Distributed Systems

RFC 4330: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI

Analyses of ping-pong handovers in real 4G telecommunication networks