Covert Channels and Data Injection Vulnerabilities for IEEE 1588 Precision Time Protocol Using PTP4L
Lillian McPadden, Elizabeth Herrera, Luke Jacobs, Casimer DeCusatis, Marist College; Paul Wojciak, Clay Kaiser, and Steve Guendert, IBM Corporation
Location: Beacon B
Date/Time: Thursday, Jan. 25, 9:43 a.m.
The IEEE 1588 standard defines the Precision Time Protocol (PTP), an emerging technology for high precision timing and clock distribution networks. We present experimental results from a PTP test bed that demonstrate several new types of covert channel communications, which allow PTP protocol to be used for data exfiltration and other unauthorized network communication. We then expand upon this work to demonstrate three new code injection zero-day vulnerabilities in the PTP protocol, and develop proof-of-concept exploits for these attacks. In one attack, we demonstrate the ability to induce temporal vortex errors at will for arbitrary periods of time. In a second attack, we demonstrate a novel man-in-the-middle (MITM) packet injection exploit against the PTP network that produces large, incorrect timing offsets at PTP timeReceiver nodes. In a third attack, we demonstrate the use of specific meta-data payloads to generate large timeTransmitter (i.e. master clock) offsets, and to manipulate not just the clock offset but the actual clock frequency itself. We also discuss proposed mitigation techniques and directions for further research.