White Rabbit in Mobile: Effect of Unsecured Clock Source in

Shinjo Park Altaf Shaik Ravishankar Borgaonkar TU Berlin & Telekom TU Berlin & Telekom Oxford University Innovation Laboratories Innovation Laboratories [email protected] [email protected] [email protected] berlin.de berlin.de Jean-Pierre Seifert TU Berlin & Telekom Innovation Laboratories [email protected] berlin.de

ABSTRACT 1. INTRODUCTION With its high penetration rate and relatively good clock ac- The convergence towards smartphones, and the new mar- curacy, smartphones are replacing watches in several market ket opened by wearables integrated several devices into segments. Modern smartphones have more than one clock them, including wrist watches. According to CNET, the source to complement each other: NITZ (Network Identity popularity of smart watches negatively affected the sales of and ), NTP (), and GNSS traditional wrist watches [43]. Like wrist watches, they are (Global Navigation Satellite System) including GPS. NITZ designed to be carried every day, providing accurate time in- information is delivered by the cellular core network, indi- formation. While watches require manual adjustment when cating the network name and clock information. NTP pro- the battery has been changed or when there is a change vides a facility to synchronize the clock with a time server. regarding DST ()1, smartphones au- Among these clock sources, only NITZ and NTP are up- tomatically retrieve current time information from multiple dated without user interaction, as location services require sources and propagate it to connected wearables like smart manual activation. watches. Moreover, a clock mismatch or a DST adjustment In this paper, we analyze security aspects of these clock is automatically corrected in the by periodic sources and their impact on security features of modern clock synchronizations. In contrast, watches require manual smartphones. In particular, we investigate NITZ and NTP adjustment when the same happens. procedures over cellular networks (, and 4G) and Wi- Today’s smartphones obtain clock2 information from mul- Fi communication respectively. Furthermore, we analyze tiple sources and interfaces. Smartphones without Internet several European, Asian, and American cellular networks connectivity can use cellular network provided NITZ (Net- from NITZ perspective. We identify three classes of vulner- work Identity and Time Zone) information, and Internet- abilities: specification issues in a cellular protocol, configu- capable smartphones can synchronize clock information over rational issues in cellular network deployments, and imple- the Internet using protocols like NTP (Network Time Pro- mentation issues in different mobile OS’s. We demonstrate tocol). Other integrated devices like GNSS (Global Navi- how an attacker with low cost setup can spoof NITZ and gation Satellite System, including GPS and GLONASS) are NTP messages to cause Denial of Service attacks. Finally, also capable of providing clock information. It is up to the we propose methods for securely synchronizing the clock on smartphone manufacturers and OS () de- smartphones. velopers’ policy to utilize and assign priorities to each clock source. Besides smartphones, M2M (Machine to Machine) and IoT (Internet of Things) devices also rely on these clock sources [22]. Keywords When the “Automatic clock update” is enabled in mobile baseband; NITZ; NTP; timekeeping; cellular network; clock OS, it will fetch clock information from multiple sources. The way this information is fetched depends on OS and manufacturer policies, and varies among smartphones. Fur- Permission to make digital or hard copies of all or part of this work for personal or thermore, it is also unclear how smartphones manage these classroom use is granted without fee provided that copies are not made or distributed different clock sources. NITZ is an optional message carry- for profit or commercial advantage and that copies bear this notice and the full cita- ing network name and clock information on 2G, 3G and 4G tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- publish, to post on servers or to redistribute to lists, requires prior specific permission 1Although a few higher-end watches are capable of auto- and/or a fee. Request permissions from [email protected]. matic clock synchronization based on external signals, they SPSM’16, October 24 2016, Vienna, Austria are not widely used in the market. 2 2016 ACM. ISBN 978-1-4503-4564-4/16/10. . . $15.00 In this paper, we use the term clock referring both time and DOI: http://dx.doi.org/10.1145/2994459.2994465 date. Time is used when usage of time is explicitly required.

13 cellular network. NTP utilizes the Internet connection to and redirecting on UDP and IP in addition to NTP-specific synchronize with a time server, and most mobile OS includ- attacks can be performed. ing Android and iOS are capable of clock synchronization via There are a number of reported NTP server vulnerabilities NTP. Unlike NITZ and NTP, GNSS services must be man- which could be used to affect NTP availability and time ac- ually turned on by the user to retrieve clock information. curacy, including one from R¨ottger [49]. Malhotra et al. [35] Therefore we only discuss NITZ and NTP in this paper, as presented several attacks on NTP. Attacks presented in their they are updated without explicitly asking the user. work are targeting both the NTP server and the transmis- In this paper, we show that it is possible to spoof clock in- sion channel to the client. Time-shifting attacks can alter formation on modern smartphones by any third party, or an any device that solely relies on NTP as a clock source. We attacker with a rogue base station and Wi-Fi access point. are not focusing on the NTP attack itself. Instead, we eval- We highlight that due to the lack of standard timekeep- uate how NTP and other clock sources are used in smart- ing methods among vendors and OS developers, unintended phones and how spoofing one or more of them affects the consequences arise on mobile OS and apps. We also discuss system behavior. interesting problems with smartphones using 32-bit and 64- Klein [33] showed the impact of attacking clock sources bit that lead to OS crashes. on multiple platforms, including Android and applications To this end we make the following contributions: on it. Czyz et al. [23] analyzed NTP amplification attacks, an attack vector utilizing NTP. CloudFlare and other online • We systematically analyze security aspects provided games were among the victim of this attack. Goodin [25] to NITZ feature in the 3GPP (Third Generation Part- found this attack can cause DoS ranging up to 100Gbps. nership Project) specifications of 2G, 3G, and 4G net- CloudFlare published details of how 400Gbps DDoS attack works. The analysis indicates a lack of authentication towards their infrastructure was possible via NTP amplifi- and integrity protection in 2G networks. cation [46]. • We built an experimental real network to demonstrate Furthermore, NTP servers could be configured to fetch attacker’s capabilities to spoof NITZ information and clock information from either another NTP server or high- investigate their impact against both mobile and base- precision clocks like GPS, radio and an atomic clock. NTP band OS. Furthermore, we discover NITZ configura- servers fetching clock information directly from precise clock tion issues in several deployed cellular networks. We sources is called Stratum 1 server, which takes a higher level present a class of Denial of Service attacks by exploit- in the NTP server hierarchy and is used as a clock source ing weaknesses in a 3GPP specification, device and of lower stratum servers. Zheng et al. [57] proposed an at- cellular network configurations, and implementation tack on radio clock signals used by some active Stratum 1 issues in few baseband operating systems. servers. Compared to this work, our work directly targets smartphones which receive time information from a cellular • We propose countermeasures for Denial of Service at- network or an NTP server. tacks and present best practices for mobile OS and app Timekeeping on smartphones. Several crashes and developers to maintain clock accurately. bugs were discovered related to internal time keeping of mo- bile OS. Straley found the regression on Apple iOS devices, 2. RELATED WORK when the device date is set to January 1970 [53]. Kelley and Harrigan reproduced the same bug using NTP via Wi- We divide related work into three categories: rogue base Fi [32], using DNS spoofing on Apple’s NTP server. Apple station, NTP attack, and timekeeping on smartphones. acknowledged the problem and fixed it in iOS 9.3 and 9.3.1 Rogue base station attack. A fake base station can be update [17]. used to passively attack nearby mobile users. Due to spec- ification and implementation flaws, numerous private infor- mation leakage and malicious information injection attacks 3. BACKGROUND were proposed. An example of an information leakage is the In this section, we briefly describe different types of clock location leak, which Kune et al. [34] and Shaik et al. [51] sources used by OS’s in smartphones. Among those sources, discovered on 2G and 4G network respectively. we only cover NITZ and NTP in detail. Further, we discuss Message injection attacks using fake base stations have how each OS obtains and synchronizes the accurate time on been proposed in several works. Mulliner et al. [42] pre- smartphones. sented SMS injection attacks, which resulted in a system crash in some cases. Weinmann [55] showed GSM control 3.1 Timekeeping in Smartphones plane message injection attacks, causing various impacts. Smartphones are running two different operating systems: Alecu [13] proposed an SMS-based attack to exploit SIM one on the application processor and the other on the base- card applications. Work of Shaik et al. [51] also contains band processor. Although they are interconnected via a message injection using a fake LTE base station. They communication stack on mobile OS (e.g. Android Radio mainly use messages related to location leaks. To the best Interface Layer), they maintain separate clocks. of our knowledge, there are no studies evaluating risks as- The mobile OS clock could be set either by using infor- sociated with clock spoofing via a fake base station in the mation received from the baseband, or (Internet) data con- literature. nection using NTP. This clock is used by all applications NTP attack. Because NTP lacks authentication and running on the OS. Due to the lack of standard methods, it integrity protection by default, and some NTP commands is up to the OS and device manufacturers to select any of could be used maliciously, both attacking NTP itself and the available clock sources. using NTP as an attack vector are proposed. Being an The baseband OS clock is usually set by the cellular net- UDP/IP based protocol, any generic attack like spoofing work using NITZ information. This clock is also supplied to

14 mobile OS; however, it can decide whether or not to use this clock. Normally the baseband uses this clock as a timestamp for the diagnostic messages and is invisible to users. Most OS’s are keeping their clock as monotonically in- creasing value since a fixed (e.g. 1st January 1970 on Android and iOS), and using a fixed sized variable to repre- sent the clock value. (time_t on Android and iOS) Windows has different epoch and clock storage methods [37, 39]. 3.2 NITZ 3GPP specifications define signaling messages for carry- ing NITZ information, called MM Information and GMM Information for both 2G and 3G [9] and EMM Information for 4G [11]. NITZ consists of time, time zone, date, and operator name. Time information in NITZ should be accu- rate in minute level, and the message itself has a minimum Figure 1: Our experimental setup, showing the precision of one second, according to [9]. USRP (left), a Wi-Fi access point (center, dotted square), and our test phones. 3.3 NTP NTP [41] requires a time server to supply an accurate Ethical concerns. 2G, 3G and 4G network experiments clock source, and communicates with the smartphone us- are performed inside a faraday cage to obey to legal regula- ing UDP/IP. Information acquired over NTP contains date tions and avoid interference with other phones. The name and time. Smartphones may use either public NTP pool of the Wi-Fi network is clearly indicated as an experimental servers [3], or OS or device vendors can operate their own network. Further, we responsibly informed all the affected NTP server. mobile OS and smartphone vendors and our reports were acknowledged by them. 4. SPOOFING ATTACKS VIA NITZ AND 4.3 Attack Background NTP We now discuss the security procedure defined for NITZ In this section, we describe the threat model and attacks features in 3GPP and evaluate how cellular network opera- against NITZ and NTP methods. Further, we conduct prac- tors deploy these features in practice. We also analyze the tical experiments to investigate configurational issues in sev- management of NITZ and NTP clock sources, and their ef- eral cellular networks. Finally, we present spoofing attacks fect on the mobile OS. We will later utilize these aspects to via a rogue base station and Wi-Fi access point. design our attacks. 4.1 Threat Model 4.3.1 Security Issues in 3GPP Specifications The attacker is capable of operating a rogue 2G, 3G or Although the content of NITZ messages is similar in all 4G base station. To achieve this, he or she has access to the network generations, their security requirements are dif- the radio hardware and related software to impersonate the ferent and are discussed below. These security requirement user’s serving cellular operator network. Further capabili- means the way NITZ messages are transferred between the ties include the knowledge of 3GPP and NTP specifications. base station and the mobile device. Additionally, attacker can also operate rogue Wi-Fi access 2G point allowing open access to the mobile devices nearby. The 2G specification [9, 8] defines ciphering as an optional 4.2 Experimental Setup feature, but lacks mandatory mutual authentication and in- Figure 1 shows our experimental setup. For NITZ, our tegrity protection on signaling messages including NITZ. hardware consists of a host PC and a USRP B210 device, Thus, an attacker can masquerade himself as a real network connected via USB 3.0. The host PC runs all the software operator and send spoofed NITZ information to phones. required to operate a cellular network, available from vari- 3G ous open source projects: OpenBTS [47] for 2G, OpenBTS- The 3G specification [6] introduced mandatory mutual au- UMTS [48] for 3G, and OpenLTE [56] for 4G. We modified thentication and integrity protection for signaling messages. these software stacks to operate as rogue base stations. We Therefore, NITZ information should be processed only when have selected popular smartphones from various baseband a security setup is present, i.e. after authentication, integrity and OS manufacturers for our test purposes. protection and the ciphering setup. Additionally, we built a custom tool by reverse engineering a baseband to capture 2G, 3G, and 4G network messages 4G from the test phones. In particular, we analyzed control The 4G specification [7] introduced further security en- plane messages and baseband timestamps. hancements, while retaining security requirement of NITZ For NTP, we operate a Wi-Fi access point based on Open- introduced in 3G. As a result, NITZ on 4G is only processed WRT, and a custom NTP server based on busybox-ntpd [21]. after the authentication and establishment of integrity and We configured access point to connect every smartphone ciphering, like on 3G. nearby. Unless the attacker breaks 3G or 4G authentication or

15 Operator (Country) 2G/3G 4G NTP → NITZ → Phone BASE (BE) · · NITZ NTP Mobistar (BE)   Apple iPhone 6S NITZ NITZ Proximus (BE)   5 NITZ NITZ Vodafone (DE) · · Asus Zenfone 2E NITZ NITZ E-Plus (DE) L L HTC One E9 NITZ NITZ Telekom (DE) · · HTC One M9 NITZ NTP O2 (DE) L · Huawei Honor 7 NITZ NITZ Yoigo (ES)   LG Vu 3 NITZ NITZ Bouygues (FR)   Galaxy Alpha NITZ NITZ Nova (IS) · · S4 NITZ NITZ Siminn (IS)   NITZ NITZ Vodafone (IS)  · BlackBerry Z10 NITZ NTP NTT DoCoMo (JP) · L LG Fx0 NITZ NITZ SK Telecom (KR)   Microsoft Lumia 950 NITZ NTP KT (KR)   Samsung Z1 NITZ NTP AT&T (US) ·  T-Mobile (US)   Table 2: Priorities of clock sources.

Table 1: Operator NITZ policy. Check sign: NITZ is sent for all registration, triangle: NITZ is sent 4.3.3 NITZ vs. NTP inconsistently, dot: NITZ is not sent at all. Most smartphone OS’s such as iOS [1], Android [28, 29], Windows Phone [36, 38]3 and Firefox OS [52] have multiple clock sources. However, there is no clear standard describ- the baseband standard is implemented incorrectly, it is im- ing their management. Hence we performed an experiment possible to spoof NITZ messages by masquerading as a real using our setup in Section 4.2 to reveal the myths about the operator. We utilize implementation problems in certain management and priorities of NITZ and NTP in the test basebands later. smartphones. We set up our test smartphones to retrieve clock infor- 4.3.2 Cellular Network Operator Configuration Is- mation from the base station, followed by the Wi-Fi access sues point, and vice versa. We configured the base station and NITZ information is conveyed to the smartphone during NTP server to send different clock values to check which several instances such as when it successfully registers to clock is preferred. Our results are summarized in Table 2. the network, moves to a different time zone and others men- Smartphones like the Nexus 5 were reluctant to update tioned in [10]. As sending NITZ is an optional feature, cel- the clock received over NTP when the clock via NITZ is lular operators do not send NITZ information regularly to already present and was received within the last 24 hours. smartphones. By using our custom tool, we analyzed real In other words, an NTP request is only triggered once in 24 network traces during the registration process to determine hours. This behavior is defined in the NTP handling code which networks implement the NITZ feature. of the Android OS [29]. Table 1 shows difference of NITZ configuration policies In contrast, certain smartphones are treating NITZ and deployed by several European, Asian and US cellular oper- NTP with equivalent priority, setting the system clock with ators. Operators with check sign means that the network the latest received information. For example, the HTC One is sending NITZ whenever the smartphone registers with it. M9 updates the clock via NTP in spite of having recent The rows indicated by a triangle represent the network op- NITZ information. One of the reasons could be the cus- erators who do not have a consistent NITZ policy. In other tomized HTC Sense4 environment on Android OS. Although words, these operators are not sending NITZ during every the Lumia 950 also falls in this category, we found that some- registration. The rows marked with a dot mean that the times it resets to the accurate clock even when both NITZ network operators do not send NITZ information at all. and NTP are inaccurate. We assume that this is caused by One of the European operators stated that, since most of another clock source which we do not discuss in this paper. the smartphones today have an Internet connection, they re- Apple devices running iOS version 9.3.2 behaved differ- ceive their time information via NTP servers which restrains ently from most of smartphones. While older version of iOS them from sending NITZ. The fact that no NITZ informa- preferred NITZ than NTP, newer iOS version changed time- tion is sent during registration causes clock synchroniza- keeping method. It neither accepts new NITZ information, tion problems on smartphones. For example, in a scenario nor issues an NTP request for certain amount of time after where a user roams from T-Mobile USA (sending NITZ) to the clock is set during initial setup or periodic time update. Telekom (not sending NITZ) will not be able to ac- To summarize, NITZ is given higher priority in most cases quire clock information automatically. Hence, sending NITZ since it is received in a secure authenticated channel and can regularly or at least during registration can avoid these prob- be trusted more than NTP. lems. In the absence of NITZ, smartphones require a data connection to update the clock (via NTP). However manual updates are still possible. 3Prior to Windows Phone 8.1 Update 1 it lacked NTP 4HTC customized Android system

16 OS (Architecture) time_t Size End Year Mobile OS Default NTP Server iOS (32-bit) [15] 32-bit 2038 Android [0-3].android.pool.ntp.org iOS (64-bit) 64-bit Never BlackBerry 10 time.blackberry.com Android (32-bit)5 32-bit 2038 Firefox OS [0-3].pool.ntp.org Android (64-bit) 64-bit Never iOS time-ios.apple.com BlackBerry 10 [18] Unsigned 32-bit 2106 Sailfish OS [0-3].sailfishos.pool.ntp.org Windows [39] Custom 30827 pool.ntp.org Windows time.windows.com Table 3: Timekeeping method of mobile OS. Table 4: Default NTP address for each mobile OS’s. 4.3.4 Mobile OS issues Country Code) and MNC (Mobile Network Code) from a Mobile OS’s are using different ways to represent internal base station before connecting to it. For example, based on clock information as stated in Table 3. For example, 32-bit the MCC and MNC of Vietnam, the time zone is updated to iOS and Android devices are only able to represent dates up Indochina Time (UTC+07:00). This behavior is unreliable to January 2038 (231 − 1 seconds after epoch). Any due to the fact that broadcast messages are accepted by the future date causes a clock overflow, and will roll back to the smartphone without having any security setup. past. Unintended consequences could happen. As shown in Section 4.3.3, after detaching from the rogue Based on our experiments, sending a clock value (some base station the smartphone may or may not receive accu- seconds before 2038-01-19 03:14:07 UTC) via NITZ causes rate clock information via NITZ depending on the operator the mobile OS to crash on all 32-bit Android smartphones. policy. Also, an NTP update is unlikely due to the prefer- Using NTP to set that clock is not always possible because ence of NITZ over NTP. As a result, we discover that to get NTP up to version 3 [40] can represent up to year 2036, and accurate clock some smartphones required a reboot, in some most smartphones utilize NTP version 3. Additionally, 32- cases even by toggling the automatic clock update feature. bit iPhones like iPhone 5 also suffer from this problem [4]. Other 32-bit mobile OS like Firefox OS only rolled back its 4.4.2 Via Wi-Fi Access Point internal clock without crashing. However, the clock on 64- Like a rogue base station, attacker can operate a rogue bit smartphones virtually never expires, as 263 − 1 seconds Wi-Fi hotspot with the same name (SSID; Service Set ID) are far beyond the age of the universe. as a legitimate one (e.g. public Wi-Fi). Upon discovery, Baseband OS keeps its time separate from the mobile OS. the smartphone connects to the rogue one and all Internet By using our custom tool we analyzed the baseband times- traffic will be routed via the attacker. tamps before and after sending a NITZ message. The Qual- We configured our Wi-Fi access point to redirect all pack- comm basebands has a wider date range than year 2038, but ets towards UDP port 123 (default NTP port) to our rogue it is not passed to Android due to limitations in the radio NTP server. Upon receiving NTP requests from the smart- communication stack. Other basebands like Samsung or In- phone, the NTP server replied with spoofed clock informa- tel, do not include clock information in debugging messages. tion. Because of the wide varieties of NTP server addresses 4.4 Spoofing Attacks among mobile OS’s as shown in Table 4, we use a port redi- rection instead of DNS query spoofing for simplicity and In this section, we exploit 3GPP specifications and cellular scalability of the attack. Since NTP does not mandate any operator configuration issues to demonstrate clock spoofing authentication, all our tested smartphones accepted spoofed attacks in two ways: via a rogue base station and via a Wi-Fi clock information. access point. Android has an NTP polling interval [29, 27] of one day by default. Upon reception of the first NTP response packet, 4.4.1 Via Rogue Base Station Android will not issue further NTP requests until the NTP We initially consider that a user’s smartphone is attached polling interval had been rolled back. This is also true when to a legitimate base station. Then attacker forces the phone the user changes to the legitimate Wi-Fi network, making to attach to the rogue one (2G/3G/4G), by impersonating recovery via NTP impossible at least for one day. the user’s service provider. Upon detecting a new base sta- tion the smartphone initiates a connection to it. As a re- 5. IMPACTS ON MOBILE OS AND APPS sponse the attacker sends spoofed clock information via a MM/GMM/EMM Information message. In this section, we discuss how clock spoofing attacks af- On 2G, all our test smartphones accepted spoofed NITZ fect the operation of baseband and mobile OS and its apps. information and changed their baseband clock. For 3G and We also examine the persistence of attacks and possible re- 4G, certain smartphones accepted NITZ and changed the covery methods. baseband clock in the absence of authentication, thereby vi- 5.1 Baseband Operations olating 3GPP specifications. The received clock information is forwarded to the mobile OS and used by apps. We analyzed control plane messages in all 2G, 3G, 4G net- Unlike other smartphones, Samsung smartphones (Galaxy works [9, 11] and found that only a small number of messages Alpha, Galaxy S4, S6, Z1) are changing the time zone of it contain current baseband or network clock information. As upon receiving broadcast information such as MCC (Mobile a result, most cellular operations are not affected by the at- tack. Other usage of the clock information on the baseband 5including other -based mobile OS, e.g. Firefox OS, is logging its diagnostic messages. Sailfish OS, Tizen Signaling messages for telephone calls, both circuit switch

17 Figure 2: Message details on Nexus 5, showing both network and device timestamp. based and VoLTE [31], do not contain clock information. As a result, incoming and outgoing calls are logged on the phone with the mobile OS clock and operators maintain their own clock for call accounting. Figure 3: Best practice: screenshot of WhatsApp Incoming SMS is one of the signaling messages contain- indicating system clock spoofing. ing network clock information when the message has been sent [12]. It is up to the device developers to use the times- message, and operate regardless of the clock spoofing. tamp present in the incoming SMS or not. Figure 2 shows Web browser, social networking, mobile messengers an example of clock difference: network clock information is mainly rely on TLS-based encryption. Specifically, What- included in the “Sent” field, the device counterpart is in the sApp (see Figure 3) and Google Chrome explicitly indicated “Received” field. the system clock mismatch when clock spoofing was de- 5.2 Mobile OS Operations tected. In this case, WhatsApp failed to operate normally until the clock was reset to the accurate value. Clock spoofing can affect various components, ranging Further, certain apps like OpenVPN did not distinguish from low level components like kernel and system programs between clock spoofing and generic network errors. Figure 4 to higher level components like apps. shows how OpenVPN presents an error when the current system clock is outside of the certificate validity period. App 5.2.1 System Components stores like the Google Play Store presented an option to retry Any system component or app relying on clock informa- the connection, but this fails to work until the clock is reset. tion will be vulnerable to spoofing attacks. Specifically, Finally, certain apps operated regardless of clock spoofing when the attacker sends a date around year 2038 a mem- and showed no indication to the user. We observed this ory overflow occurs causing a complete system crash. Fur- behavior on apps handling mostly public information like ther, networking protocols such as TLS/SSL rely on accurate public transportation timetable, etc. Samsung Knox [50] clock information [35]. also falls into this category, as it allows unlocking and locking We concentrate on TLS/SSL as it forms a basis of higher the secure container regardless of clock spoofing. level protocols like HTTPS, and is widely used in mobile environments. Once a secure connection is established using 5.3 Persistence and Recovery TLS, the client performs a server certificate validity period We observed that majority of our test smartphones are check. If the current clock is outside of the validity period, affected by the attack, and failed to receive accurate clock the certificate is considered to be invalid. Depending on information even after the attacker shuts down the rogue the type of app, the secure connection gets terminated or base station or Wi-Fi access point. During this state, mobile established nonetheless. We found that Android [30] and apps failed to operate normally, causing a persistent Denial iOS [16] enforce strict validity checks on TLS connections, of Service on the smartphone. causing a Denial of Service on the smartphone when the In order to recover, the user needs to reboot the smart- clock is incorrect. phone. In some cases it is enough to toggle the flight mode. When the user is still in range of the rogue base station 5.2.2 Apps or Wi-Fi access point, rebooting will likely pick up false We studied the behavior of apps after the clock spoofing clock information again and cause apps to fail. Similarly, on Android and iOS. Apps not utilizing clock information when traveling accross time zone, rebooting the smartphone or apps utilizing clock information locally are excluded from is usually suggested when current clock information is incor- our analysis, because the former is not affected at all and rect [14]. tha later has no means of verifying accuracy of the clock. Rebooting the smartphone would also be required after a However, apps utilizing clock information and require a data system crash caused by the year 2038 problem. Depending connection are affected by the attack. We tested some of on the smartphone, the clock resets back to the the widely used apps and noticed three different behaviors: epoch (year 1970), or before the epoch (year 1901) until explicitly noticing clock inaccuracy, showing a generic error receiving accurate clock information.

18 Recent Apple iOS 9.3 series introduced some of the san- itization mentioned in Section 4.3.3. Contrary to iOS, our test Android smartphones changed its clock when there were a large clock drift. Although Android has some NITZ san- itization procedures [28] but it only checks system uptime upon receiving NITZ, not the content of NITZ information. As a result, mobile OS clock changed in cases when we sent a correct time value first (e.g. 1st July midnight), then a time value of some days in the future or past (e.g. 10th July or 20th June), and then again recovered the original time (e.g. 1st July 00:10). Although iPhone 5s opened the era of 64-bit smartphones in July 2013, a large number of 32-bit smartphones and cel- lular capable M2M and IoT devices will remain in operation for an extended amount of time. Therefore, OS developers should be aware of the year 2038 problem and need to pro- vide fallback mechanisms without causing the OS to crash. Although the problem itself was first reported on Android 5 years ago [2], the bug was virtually abandoned and remained hidden for a long time. Figure 4: Common practice: screenshot of Open- Additionally, OS developers and/or device manufactur- VPN indicating network failure. ers can implement secure NTP to protect users from NTP spoofing attacks. NTP version 4 introduced cryptographic authentication features, and there are studies proposing se- 6. DISCUSSION cure NTP [24]. Authenticated NTP is already in operation by NIST [44] and the US Naval Observatory [45]. Some We now analyze the security implications that arise due device manufacturers like Apple and BlackBerry are oper- to inadequate timekeeping methods adopted by smartphone ating NTP servers themselves, and actively utilizing secure and baseband manufacturers, and mobile OS developers. containers in their respective mobile OS. They can provide Further, we propose effective mechanisms to handle clock NTP with authentication as a premium service. information inside each component of smartphones. App developers. Among our set of test apps, What- Baseband manufacturers. As the mobile OS prefers sApp and Google Chrome showed the best way to handle to receive clock information over NITZ assuming that it the clock spoofing. Other apps using TLS did not distin- is acquired over a secure channel, baseband manufacturers guish correctly between errors caused by clock spoofing from should abide by the security measures already implemented generic network errors. Unlike other network errors, errors in respective specifications for NITZ. caused by clock spoofing are easier to detect and recover Moreover, as operating a rogue base station now became from by the user. We therefore suggest app developers to easier [20], baseband manufacturers are required to apply distinguish clock spoofing errors from other errors, unless defensive programming regarding the data received from the app is not utilizing clock information. the network provider. An example of defensive program- Also, if clock information is extensively used inside an app, ming would be to verify the received NITZ values. The operating a separate time server on the app developer’s side 3GPP specification does not clearly define error handling can help making accurate timekeeping less of an issue inside procedures when NITZ information contains an invalid clock the application. Some time-critical apps like banking apps value [9, 12]. As a result, when the base station sends month are already following this. 13, it could be interpreted as next year January or could be App developers can differentiate certificate validity pe- ignored. Likewise, hour 25 could be interpreted as 01:00 riod, compromising between security and maintenance cost. next day. All these behaviors are accepted. Some baseband Google set their certificate validity to 3 months, while Face- accepted out-of-range values and interpreted them as a time book and Twitter used 2 years. As a result, Google apps are in the future, while some ignored those values. As the clock stricter on clock spoofing attacks as compared to Facebook information first arrives on the baseband processor, a sanity and Twitter. check will release the burden of verifying the data inside the mobile OS. Mobile OS developers. OS need to provide consistent 7. CONCLUDING REMARKS AND FU- and predictable policies on clock updates. As clock sources have different availability and security, more available and TURE WORK secure clock sources should always be preferred. Also, mo- Smartphones are utilizing multiple clock sources via cel- bile OS can provide interfaces to trigger manual updates of lular network and Internet to ensure accurate clock infor- the clock, and a minimal notification of the current clock mation. We have shown that the vulnerabilities we discov- source when the clock source had been changed. For exam- ered in cellular network (2G, 3G and 4G), NTP standards, ple, BlackBerry has an option to ask the user about time and implementations allowed clock spoofing attack towards zone updates when a new time zone is detected [19]. This smartphone users. Our attacks were performed using open can save the user from rebooting the phone when traveling source cellular network and NTP server software, with read- across time zones, and gives user the chance to use a manual ily available hardware and several smartphones with 6 differ- clock when some of the clock sources are not working. ent mobile OS’s. We demonstrated Denial of Service attack

19 leading to the malfunction of apps and complete mobile OS [9] 3GPP. Mobile radio interface Layer 3 specification; crash. Baseband implementations, 3GPP standard issues, Core network protocols; Stage 3. TS 24.008, 3rd and lack of consistent timekeeping methods in smartphones Generation Partnership Project (3GPP). are the root causes of these attacks. We proposed best prac- [10] 3GPP. Network Identity and TimeZone (NITZ); tices to manage multiple clock sources in smartphones and Service description; Stage 1. TS 22.042, 3rd provide accurate clock to the user. We followed standard re- Generation Partnership Project (3GPP). sponsible disclosure methods of all affected manufacturers, [11] 3GPP. Non-Access-Stratum (NAS) protocol for and we also notified the mobile app developers and OS de- Evolved Packet System (EPS); Stage 3. TS 24.301, velopers. Google addressed the problem mentioned in this 3rd Generation Partnership Project (3GPP). paper in Android Security Bulletin, August 2016 [26, 5]. [12] 3GPP. Technical realization of the Short Message Our future work will cover the other clock sources we ex- Service (SMS). TS 23.040, 3rd Generation Partnership cluded or did not analyzed in this paper, and the other Project (3GPP). components of mobile OS and apps. Although we explic- [13] B. Alecu. SMS Fuzzing - SIM Toolkit Attack. DEF itly excluded GPS in this paper, GPS spoofing including CON 21, 2013. clock information is already proposed [54]. While previous [14] AndroidCentral.com. Automatic time zone and work [35] mentioned that multiple protocols are affected by date/clock are wrong. clock spoofing attack, we only covered TLS/SSL in this pa- http://forums.androidcentral.com/htc-one-m7/ per. We will also cover other network protocols and OS 291916-automatic-time-zone-date-clock-wrong.html. components that is largely affected by clock spoofing attack. We belive our attacks are not only true for smartphones [15] Apple Inc. Major 64-Bit Changes - iOS Developer but also for IoT systems that derive from a mobile OS (for Library. https: example, connected cars). There is more protection and reli- //developer.apple.com/library/ios/documentation/ ability needed for maintaining an accurate time information General/Conceptual/CocoaTouch64BitGuide/ for these systems. Our research results exhibit that clock Major64-BitChanges/Major64-BitChanges.html. spoofing attacks needs more attention in the age of digitally [16] Apple Inc. Using Network Securely - iOS Developer connected world. Library. https://developer.apple.com/library/ios/ documentation/NetworkingInternetWeb/Conceptual/ NetworkingOverview/SecureNetworking/ Acknowledgements SecureNetworking.html. This research was partly performed within the 5G-ENSURE [17] Apple Support. If you changed the date to May 1970 project (www.5GEnsure.eu) the EU Framework Programme or earlier and can’t restart your iPhone, iPad, or iPod for Research and Innovation Horizon 2020 under grant agree- touch. https://support.apple.com/en-us/HT205248. ment no. 671562 and received funding from the Software [18] BlackBerry Limited. Clock and timer services - Native Campus project from DLR (Deutsches Zentrum fur¨ Luft- SDK for BlackBerry 10. https: und Raumfahrt) project no. 01IS12056. We would like to //developer.blackberry.com/native/documentation/ thank Kibum Choi, Byeongdo Hong, Dongkwan Kim, Hongil dev/rtos/arch/kernel clockandtimer.html. Kim and Youngseok Park from KAIST on collection of data, [19] BlackBerry Limited. When traveling between time and the anonymous reviewers for their thoughtful feedback zones the BlackBerry smartphone does not on previous versions of this paper. automatically update to local time. http://support.blackberry.com/kb/ 8. REFERENCES articleDetail?ArticleNumber=000010323. [20] R. Borgaonkar, K. Redon, and J.-P. Seifert. Security [1] Carrier.plist - The iPhone Wiki. analysis of a femtocell device. In Proceedings of the 4th https://www.theiphonewiki.com/wiki/Carrier.plist. International Conference on Security of Information [2] Issue 16899: Year 2038 problem - Android Open and Networks, SIN ’11, pages 95–102, New York, NY, Source Project Issue Tracker. https: USA, 2011. ACM. //code.google.com/p/android/issues/detail?id=16899. [21] Bruce Perens et al. BusyBox. [3] pool.ntp.org project : the internet cluster of ntp https://busybox.net/about.html. servers. http://www.pool.ntp.org/en/. [22] Cinterion Wireless Modules. BGS2-E AT Command [4] The iPhone : January 19, 2038 - Specification. MacRumors Forums. [23] J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, http://forums.macrumors.com/threads/the-iphone- M. Bailey, and M. Karir. Taming the 800 Pound apocalypse-january-19-2038.1943912/. Gorilla: The Rise and Decline of NTP DDoS Attacks. [5] CVE-2016-3831. Available from MITRE, CVE-ID In Proceedings of the 2014 Conference on Internet CVE-2016-3831., 2016. Measurement Conference, IMC ’14. ACM, 2014. [6] 3GPP. 3G security; Security architecture. TS 33.102, [24] B. Dowling, D. Stebila, and G. Zaverucha. 3rd Generation Partnership Project (3GPP). Authenticated network time synchronization. IACR [7] 3GPP. 3GPP System Architecture Evolution (SAE); Cryptology ePrint Archive, 2015:171, 2015. Security architecture. TS 33.401, 3rd Generation [25] D. Goodin. New DoS attacks taking down game sites Partnership Project (3GPP). deliver crippling 100Gbps floods. [8] 3GPP. Digital cellular telecommunications system (Phase 2+); Security aspects. TS 42.009, 3rd http://arstechnica.com/security/2014/01/new-dos- Generation Partnership Project (3GPP). attacks-taking-down-game-sites-deliver-crippling-100-

20 http://arstechnica.com/security/2014/01/new-dos- [42] C. Mulliner, N. Golde, and J.-P. Seifert. SMS of attacks-taking-down-game-sites-deliver-crippling-100- Death: from analyzing to attacking mobile phones on gbps-floods/. a large scale. USENIX Security, 2011. [26] Google Inc. Android Security Bulletin–August 2016. [43] S. Musil. Smartwatches now more popular than Swiss https://source.android.com/security/bulletin/2016-08- watches, thanks to Apple. CNET, 2016. 01.html. [44] National Institute of Standards and Technology. The [27] Google Inc. config.xml. https: NIST Authenticated NTP Service. http: //android.googlesource.com/platform/frameworks/ //www.nist.gov/pml/div688/grp40/auth-ntp.cfm. base/+/master/core/res/res/values/config.xml. [45] Naval Meteorology and Oceanography Command. [28] Google Inc. GsmServiceStateTracker.java. https: Authenticated NTP - DoD Customers. http:// //android.googlesource.com/platform/frameworks/ www.usno.navy.mil/USNO/time/ntp/dod-customers. opt/telephony/+/master/src/java/com/android/ [46] M. Prince. Technical Details Behind a 400Gbps NTP internal/telephony//GsmServiceStateTracker.java. Amplification DDoS Attack. [29] Google Inc. NetworkTimeUpdateService.java. https://blog.cloudflare.com/technical-details-behind- https://android.googlesource.com/platform/ a-400gbps-ntp-amplification-ddos-attack/. frameworks/base.git/+/master/services/core/java/ [47] Range Networks. OpenBTS. http://openbts.org/. com/android/server/NetworkTimeUpdateService.java. [48] Range Networks. OpenBTS-UMTS. http: [30] Google Inc. Security with HTTPS and SSL - Android //openbts.org/w/index.php?title=OpenBTS-UMTS. Developers. http://developer.android.com/training/ [49] S. R¨ottger. Finding and exploiting ntpd articles/security-ssl.html. vulnerabilities. http://googleprojectzero.blogspot.de/ [31] GSMA. Official Document IR.92 - IMS Profile for 2015/01/finding-and-exploiting-ntpd.html. Voice and SMS. [50] Samsung. Mobile Enterprise Security – Samsung [32] P. Kelley and M. Harrigan. iOS 1970 Vulnerability Knox. https://www.samsungknox.com/en. Leads to Remote Bricking of Phones Over The Air. [51] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and https://www.youtube.com/watch?v=zivWTwOjEME. J.-P. Seifert. Practical attacks against privacy and [33] J. Klein. Becoming a Time Lord: Implications of availability in 4G/LTE mobile communication Attacking Time Sources. Shmoocon FireTalks 2013, systems. In 23rd Annual Network and Distributed 2013. System Security Symposium, NDSS San Diego, [34] D. F. Kune, J. K¨olndorfer, N. Hopper, and Y. Kim. California, USA, February 21-24, 2016, 2016. Location leaks over the GSM air interface. 19th [52] Shao Hang Kao. Bug 874771 - Implement SNTP Annual Network and Distributed System Security support (Gecko end). https: Symposium, NDSS 2012, San Diego, California, USA, //hg.mozilla.org/mozilla-central/rev/fb5ba2a8e039. February 5-8, 2012, 2012. [53] Z. Straley. Don’t set your iPhone’s date to January 1, [35] A. Malhotra, I. E. Cohen, E. Brakke, and S. Goldberg. 1970! The fastest trick to BRICK an iPhone! Attacking the Network Time Protocol. In 23rd Annual https://www.youtube.com/watch?v=fY-ahR1R6IE. Network and Distributed System Security Symposium, [54] N. O. Tippenhauer, C. P¨opper, K. B. Rasmussen, and NDSS 2016, 2016. S. Capkun. On the Requirements for Successful GPS [36] Microsoft. EnableAutomaticTime - Windows 10 Spoofing Attacks. In Proceedings of the 18th ACM hardware dev. https://msdn.microsoft.com/en-us/ Conference on Computer and Communications library/windows/hardware/mt502640(v=vs.85).aspx. Security, CCS, 2011. [37] Microsoft. FILETIME structure - Windows Dev [55] R.-P. Weinmann. Baseband Attacks: Remote Center. https://msdn.microsoft.com/en-us/library/ Exploitation of Memory Corruptions in Cellular windows/desktop/ms724284%28v=vs.85%29.aspx. Protocol Stacks. USENIX Workshop on Offensive [38] Microsoft. NTPEnabled - Windows 10 hardware dev. Technologies, 2012. https://msdn.microsoft.com/en-us/library/windows/ [56] B. Wojtowicz. OpenLTE. hardware/mt157027(v=vs.85).aspx. https://sourceforge.net/projects/openlte/. [39] Microsoft. SYSTEMTIME structure - Windows Dev [57] Y. Zheng and H. Shan. Time is On My Side: Forging Center. https://msdn.microsoft.com/en-us/library/ a Wireless Time Signal to Attack NTP Servers. HITB windows/desktop/ms724950%28v=vs.85%29.aspx. 2016 Amsterdam, 2016. [40] D. Mills. Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305 (Draft Standard), Mar. 1992. Obsoleted by RFC 5905. [41] D. Mills, J. Martin, J. Burbank, and W. Kasch. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (Proposed Standard), June 2010.

21