ABSTRACT
With its high penetration rate and relatively good clock accuracy, smartphones are replacing watches in several market segments. Modern smartphones have more than one clock source to complement each other: NITZ (Network Identity and Time Zone), NTP (Network Time Protocol), and GNSS (Global Navigation Satellite System) including GPS. NITZ information is delivered by the cellular core network, indicating the network name and clock information. NTP provides a facility to synchronize the clock with a time server. Among these clock sources, only NITZ and NTP are updated without user interaction, as location services require manual activation. In this paper, we analyze security aspects of these clock sources and their impact on security features of modern smartphones. In particular, we investigate NITZ and NTP procedures over cellular networks (2G, 3G and 4G) and Wi-Fi communication respectively. Furthermore, we analyze several European, Asian, and American cellular networks from NITZ perspective. We identify three classes of vulnerabilities: specification issues in a cellular protocol, configurational issues in cellular network deployments, and implementation issues in different mobile OS's. We demonstrate how an attacker with low cost setup can spoof NITZ and NTP messages to cause Denial of Service attacks. Finally, we propose methods for securely synchronizing the clock on smartphones.
- Carrier.plist - The iPhone Wiki. https://www.theiphonewiki.com/wiki/Carrier.plist.Google Scholar
- Issue 16899: Year 2038 problem - Android Open Source Project Issue Tracker. https://code.google.com/p/android/issues/detail?id=16899.Google Scholar
- pool.ntp.org project : the internet cluster of ntp servers. http://www.pool.ntp.org/en/.Google Scholar
- The iPhone Apocalypse: January 19, 2038 - MacRumors Forums. http://forums.macrumors.com/threads/the-iphone-apocalypse-january-19--2038.1943912/.Google Scholar
- CVE-2016--3831. Available from MITRE, CVE-ID CVE-2016--3831., 2016.Google Scholar
- 3GPP. 3G security; Security architecture. TS 33.102, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. 3GPP System Architecture Evolution (SAE); Security architecture. TS 33.401, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. Digital cellular telecommunications system (Phase 2+); Security aspects. TS 42.009, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. Mobile radio interface Layer 3 specification; Core network protocols; Stage 3. TS 24.008, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. Network Identity and TimeZone (NITZ); Service description; Stage 1. TS 22.042, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. TS 24.301, 3rd Generation Partnership Project (3GPP).Google Scholar
- 3GPP. Technical realization of the Short Message Service (SMS). TS 23.040, 3rd Generation Partnership Project (3GPP).Google Scholar
- B. Alecu. SMS Fuzzing - SIM Toolkit Attack. DEF CON 21, 2013.Google Scholar
- AndroidCentral.com. Automatic time zone and date/clock are wrong. http://forums.androidcentral.com/htc-one-m7/291916-automatic-time-zone-date-clock-wrong.html.Google Scholar
- Apple Inc. Major 64-Bit Changes - iOS Developer Library. https://developer.apple.com/library/ios/documentation/General/Conceptual/CocoaTouch64BitGuide/Major64-BitChanges/Major64-BitChanges.html.Google Scholar
- Apple Inc. Using Network Securely - iOS Developer Library. https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html.Google Scholar
- Apple Support. If you changed the date to May 1970 or earlier and can't restart your iPhone, iPad, or iPod touch. https://support.apple.com/en-us/HT205248.Google Scholar
- BlackBerry Limited. Clock and timer services - Native SDK for BlackBerry 10. https://developer.blackberry.com/native/documentation/dev/rtos/arch/kernel_clockandtimer.html.Google Scholar
- BlackBerry Limited. When traveling between time zones the BlackBerry smartphone does not automatically update to local time. http://support.blackberry.com/kb/articleDetail?ArticleNumber=000010323.Google Scholar
- R. Borgaonkar, K. Redon, and J.-P. Seifert. Security analysis of a femtocell device. In Proceedings of the 4th International Conference on Security of Information and Networks, SIN '11, pages 95--102, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Bruce Perens et al. BusyBox. https://busybox.net/about.html.Google Scholar
- Cinterion Wireless Modules. BGS2-E AT Command Specification.Google Scholar
- J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC '14. ACM, 2014. Google ScholarDigital Library
- B. Dowling, D. Stebila, and G. Zaverucha. Authenticated network time synchronization. IACR Cryptology ePrint Archive, 2015:171, 2015.Google Scholar
- D. Goodin. New DoS attacks taking down game sites deliver crippling 100Gbps floods. http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-floods/.Google Scholar
- Google Inc. Android Security Bulletin--August 2016. https://source.android.com/security/bulletin/2016-08-01.html.Google Scholar
- Google Inc. config.xml. https://android.googlesource.com/platform/frameworks/base/master/core/res/res/values/config.xml.Google Scholar
- Google Inc. GsmServiceStateTracker.java. https://android.googlesource.com/platform/frameworks/opt/telephony/master/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java.Google Scholar
- Google Inc. NetworkTimeUpdateService.java. https://android.googlesource.com/platform/frameworks/base.git/master/services/core/java/com/android/server/NetworkTimeUpdateService.java.Google Scholar
- Google Inc. Security with HTTPS and SSL - Android Developers. http://developer.android.com/training/articles/security-ssl.html.Google Scholar
- GSMA. Official Document IR.92 - IMS Profile for Voice and SMS.Google Scholar
- P. Kelley and M. Harrigan. iOS 1970 Vulnerability Leads to Remote Bricking of Phones Over The Air. https://www.youtube.com/watch?v=zivWTwOjEME.Google Scholar
- J. Klein. Becoming a Time Lord: Implications of Attacking Time Sources. Shmoocon FireTalks 2013, 2013.Google Scholar
- D. F. Kune, J. Kölndorfer, N. Hopper, and Y. Kim. Location leaks over the GSM air interface. 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5--8, 2012, 2012.Google Scholar
- A. Malhotra, I. E. Cohen, E. Brakke, and S. Goldberg. Attacking the Network Time Protocol. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, 2016.Google Scholar
- Microsoft. EnableAutomaticTime - Windows 10 hardware dev. https://msdn.microsoft.com/en-us/library/windows/hardware/mt502640(v=vs.85).aspx.Google Scholar
- Microsoft. FILETIME structure - Windows Dev Center. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx.Google Scholar
- Microsoft. NTPEnabled - Windows 10 hardware dev. https://msdn.microsoft.com/en-us/library/windows/hardware/mt157027(v=vs.85).aspx.Google Scholar
- Microsoft. SYSTEMTIME structure - Windows Dev Center. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724950%28v=vs.85%29.aspx.Google Scholar
- D. Mills. Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305 (Draft Standard), Mar. 1992. Obsoleted by RFC 5905. Google ScholarDigital Library
- D. Mills, J. Martin, J. Burbank, and W. Kasch. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (Proposed Standard), June 2010.Google Scholar
- C. Mulliner, N. Golde, and J.-P. Seifert. SMS of Death: from analyzing to attacking mobile phones on a large scale. USENIX Security, 2011. Google ScholarDigital Library
- S. Musil. Smartwatches now more popular than Swiss watches, thanks to Apple. CNET, 2016.Google Scholar
- National Institute of Standards and Technology. The NIST Authenticated NTP Service. http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm.Google Scholar
- Naval Meteorology and Oceanography Command. Authenticated NTP - DoD Customers. http://www.usno.navy.mil/USNO/time/ntp/dod-customers.Google Scholar
- M. Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/.Google Scholar
- Range Networks. OpenBTS. http://openbts.org/.Google Scholar
- Range Networks. OpenBTS-UMTS. http://openbts.org/w/index.php?title=OpenBTS-UMTS.Google Scholar
- S. Röttger. Finding and exploiting ntpd vulnerabilities. http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html.Google Scholar
- Samsung. Mobile Enterprise Security -- Samsung Knox. https://www.samsungknox.com/en.Google Scholar
- A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23rd Annual Network and Distributed System Security Symposium, NDSS San Diego, California, USA, February 21--24, 2016, 2016.Google ScholarCross Ref
- Shao Hang Kao. Bug 874771 - Implement SNTP support (Gecko end). https://hg.mozilla.org/mozilla-central/rev/fb5ba2a8e039.Google Scholar
- Z. Straley. Don't set your iPhone's date to January 1, 1970! The fastest trick to BRICK an iPhone! https://www.youtube.com/watch?v=fY-ahR1R6IE.Google Scholar
- N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun. On the Requirements for Successful GPS Spoofing Attacks. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, 2011. Google ScholarDigital Library
- R.-P. Weinmann. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. USENIX Workshop on Offensive Technologies, 2012. Google ScholarDigital Library
- B. Wojtowicz. OpenLTE. https://sourceforge.net/projects/openlte/.Google Scholar
- Y. Zheng and H. Shan. Time is On My Side: Forging a Wireless Time Signal to Attack NTP Servers. HITB 2016 Amsterdam, 2016.Google Scholar
Index Terms
- White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones
Recommendations
A Hybrid Approach for Synchronizing Clocks in Distributed Systems
Cloud Computing – CLOUD 2019AbstractThe art of synchronizing clocks across a wide area network has got a new dimension when it comes to the reality of achieving the demand for high-accuracy synchronization; even for local or small computing systems. Before implementing any clock ...
Analyses of ping-pong handovers in real 4G telecommunication networks
AbstractThe last decade has been characterized by a rapid increase in the usage of mobile communications. One of the main aspects of mobile communications is mobility. This means that mobile phones have to switch between base station cells in order to ...
Comments