Schneier on Security
A blog covering security and security technology.
« State Department Redacts Wikileaks Cables |
| Liars and Outliers: The Big Idea »
March 2, 2012
Great movie-plot threat:
Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. "They are always visible because they need a clear view of the sky," Humphreys told Wired.co.uk.
He explains that someone who directed a spoofer towards the antenna could cause two different problems which could have a major impact on the largely automated high-frequency trading systems. The first is simply causing confusion by manipulating the times -- a process called "time sabotage" -- on one of the global stock exchanges. This sort of confusion can be very damaging.
Posted on March 2, 2012 at 6:11 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The insanity of a financial system that needs this sort of accuracy in the first place is the real threat.
Obviously there are no humans in the loop, just algorithms dreamt up by economists.
"If you decry reality for not following your model, then you're no longer practicing science, you're an economist."
Not even full-blown "spoofing": a simple delay line with a bit of amplification should suffice (the receiver will presumably latch on to the strong, delayed signal rather than the direct one) and you can wind the clock back slightly. Possibly how the Iranians captured the drone recently, from the comments thread there?
One of the comments, apparently from someone intimately familiar with the industry, indicates they're already protected from this anyway: not as an intentional precaution, just sensible robustness, since you can't rely entirely on a single GPS receiver anyway. It's on top of a building: electric storms in the area, lightning strikes, maintenance on the roof, birds getting in the way...
Also, you can trick the evil scientist-priest into being destroyed by his own ancient-stone-circle / black hole combo.
I may be remembering wrong, but isn't this exactly what they did in Entrapment?
Why would someone with an internet connection over copper or fibre cables want to rely on GPS for correct time instead of NTP servers?
The bigger threat is RFID.
1. Denial of service.
Since RFID is so low powered, its easy to jam and hence implement a denial of service attack. 9 volt battery and a transmitter should do it. Lasts quite a few days, and impossible to find. You could even do this externally to the shop with a n antenna focused on the shop.
If the shop is reliant on RFID, you cause a major problem and drive up cots.
Spoofing is even more damaging. In effect deleting a transaction, inserting transactions, or modifying transactions.
Deleting a transaction causes a loss for the shop, or causes the shopper to be arrested for shoplifting when leaving the shop. It can also hide shoplifting.
Changing a transaction also causes chaos. Your tin of beans suddenly becomes lady's lingerie. Inserting transactions also causes damage when the shopper finds out they have been ripped off.
The GPS attack on trading isn't correct. It's just some taking the argument about executing fast to mean that the GPS must be in the loop. If you change the time all you can really do is get the market shut early. If that happens once, they immediately switch the code to work in another way. It's not an effective attack, and it doesn't lead to people being able to extract money.
I must admit when I read about it a while ago and how some politicians appeared to think it was "the real deal" I had a good chuckle.
Whilst GPS might provide many with a master clock it is far from the only one, most cellular phone networks have their own master clock system where they are all kept in "lock step".
The big problem time wise beleive it or not is the earth slowing down and the weather adding unpredictable variations in the earths rotational speed etc.
There was a conferance recently to decide what scientists, engineers and ordinary humans were going to do about the time issues.
I strongly suspect that this won't be the only time reference that they have. Caesium standard clocks (a primary reference - the second is defined using them) can be bought for not much money (about $100k - not much to a bank) and can be used in addition to other sources. NTP can be configured with multiple servers using different references which are peered together.
Eum, 1999 "Entrapment" anyone? http://www.imdb.com/title/tt0137494/
To spoil the movie: The lead character spoofs a GPS-based timing system giving her x seconds to steal a couple of bilion during a Millennium-Bug test.
And there was me thinking this one was far to realistic for Hollywood ;)
Nevermind the fake GPS delay; I want that laptop that can boot from "off" to "executed a crapload of small transactions totalling USD 8,000,000,000" in under 15 seconds. None of mine can even get to a password prompt that fast.
Also as a former military telecommunications specialist I want her ability to walk into a patch panel she's never seen before and repatch it in a time frame to support the above mission. #stipulated it's a very, very small patch panel#
Oh what the heck, as long as I'm fantasizing I want Catherine ZJ as well...
You laugh now, but wait until Tom Cruise parasails onto the top of each building, installs a rocket motor in the base of each antenna, and programs them to all launch at the same time and collide at a predetermined point in space, thus causing..... er, a time-warp in the somethingorother.
Hey, that could happen, too.
Security involves trade-offs. Security introduces latency. Latency costs money. Hmm. What sort of trade-offs do traders make?
1) wouldnt they have multiple GPS receivers/antennae
B) which would feed to an arbiter (to determine which inputs are acceptable/valid and to propose the authoritative time stamp to the...
- NTP server
* which feeds the systems
what part of that is confusing?
As for high-frequency trading - I am by no means an expert, but I would assume the exchange processes the orders in the sequence that they arrive - regardless of what the actual time of day is at the moment. So while heavy real-time, the processing needs a relative, monotonic, somewhat precise (to the microseconds - likely, to the nanoseconds - not really) time reference only, not the actual "wall-clock" time (UTC as coordinated internationally using many atomic clocks around the world).
In a typical system, time is kept on an internal counter, clocked by a local oscillator of a not-so-high frequency stability (most often the CPU's own clock), which never ticks backwards. An external reference (GPS, NTP, extra local high-stability oscillator, whatever) is used to stabilize the average frequency of the local time source and to synchronize the "absolute" time to the UTC, but the actual synchronization is always done in a monotonic way: if the internal source had drifted away and is ahead of the UTC, it is never set backwards - it is simply slightly "slowed", so it ticks slightly less frequently, allowing the external reference to "catch up", then the internal source is reset back to the "proper" frequency. Conversely, if the internal source had lagged behind it is made to tick slightly more frequently until it catches up with the external reference.
Therefore disturbing external GPS reference (even if it is the only one, which is unlikely), will not make the internal notion of the time to "skip" in either direction, thus allowing to reorder coming requests by timestamping them with a non-monotonic reference. The reordering is the only attack that can "illegally" affect the stock exchange - all other tricks are perfectly OK.
This is why high-frequency traders locate their systems physically close to the stock exchange - to gain a few kilometers worth of distance over the fibre cables connecting them to the exchange systems, thus gaining a few microseconds of round trip time. They already know that it is important when their orders *arrive* not when they are sent out, and they plan for it.
Since it's Friday, change of topic: Did anyone see the idiot who drove through the gate at the airport in Philly? See TSA trying to catch up? lol! I'm surprised Big Sis Janet Napoleon Bonapartano didn't come out with a statement saying "the system worked everyone. Thanks to TSA officers, we got the drunken terrorist and saved millions of lives. This solidifies our purpose to exist."
If anything, they'll use that incident to ask Congress for more $$$$$$$$$$$$$$. So they can post TSA "officers" at every airport runway gate in the country now because thats "what the bad guys are targeting these days".
'9 volt battery and a transmitter should do it'
Just like getting tarred and featured should do it for human flight.
You sound like those CASPIAN nut jobs over at www.spychips.com
I suggest reading (on the page Bruce links to) the comment by Mike from 26 Feb.
Even if this "financial attack" were plausible -- and I share Bruce's skepticism about this ...
... as far as I understand it, high-frequency trading is a parasitic activity with no benefit to the real economy. It is one of the pernicious financial shenanigans that enrich the few to the detriment of the many. It's not even good for the financial markets, let alone the wealth of the underlying economy.
Accordingly, anything that might reduce the appeal of high-frequency trading, may well be good news for the world at large.
A remake of 'The Sting" is a better fit than "Entrapment"
1) GPS Jamming is no longer a theoretical exercise. The rumor is jammers are available on the open market at very reasonable prices. And it has been widely reported that the current theory of how the US spy drone was captured was through GPS jamming.
2) GPS timing is accurate to within 10 nanoseconds while NNTP (on the public internet) is only accurate to 10's of milliseconds. Since high frequency trading seeks to exploit price differences over timeframes on the 100s of microseconds to 1 millisecond, NNTP would not be accurate enough.
3) Having said that, my belief is that the current state of the art in jamming would likely only cause a DoS of time signals and would not be capable of the "Entrapment" attack. This would cause a high degree of opportunity losses rather than actual losses.
Could one use related techniques to disrupt power system synchrophasors?
I suspect that the focus on high-frequency trading is there to draw the crowds -- it's a hot topic, after all. But I do not think this is a movie plot threat; the reality is just much more boring.
A couple of background items -- most exchanges require their clients to maintain an accurate clock, and some will even fine their clients if their clocks aren't accurate. There is good reason for this: the exchange opens and closes according to the clock, and the clients therefore need to be on the same clock.
The other background piece is understanding how the day of many institutional traders ends up. Many of them do not hold stock positions overnight -- they close out their positions at the end of the day, and "end of the day" here means "last few seconds".
If you put these together, you can now see how an attack could be conducted. Sudden jumps in time will be noticed, so the methodology has to be to drag the trading client backward in time a few seconds. The effect would be that when the market closes, the client may still think they have ten seconds to wrap up their positions -- but they don't. They are stuck carrying positions overnight because the market has already closed. The effects of this will be unpredictable, but definitely not what the trading client has intended.
This is only going to be a generally malicious attack. As I see it, you cannot target a particular stock. You can target a company, but only in the form of a specialised denial of service attack. Financial effects will be unpredictable.
Overall, this is going to be boring. But it will be noticed, and it will cause the trading client to suspect the reliability of its systems, and then spend time and effort to mitigate what was likely considered a very low item on the risk list.
Finally - GPS time is highly reliable, and one of the common behaviours of many organisations is to save money by removing redundancy from their systems. Note that in North America, GPS is considered so reliable for navigation that LORAN is no longer provided. Convincing any organisation to spend money on checking a reliable system is going to be a tough sell.
Yesterday showed an example of date and time spoofing - somebody (probably terrorists) modified the Earth's rotation to put an extra unexpected day in February
This caused the UK's post office, and Windows Azure cloud service, among others, to fail.
The TSA needs to hut down Pope Gregory XIII and deal with this!
As was recently demonstrated at Gran Sasso, GPS synchronization can be used to transmit neutrino-based signals faster than light. Any physicist can tell you how to leverage that capability to transmit signals backward through time. The implications in financial applications are staggering.
In a '60s Superman TV episode he hacks WWV to trick the bad guy into thinking the statute of limitations time has lapsed.
@MarkH: "HFT is a parasitic". Au contraire - markets breed liquidity. High Freq Trading knocks out an older class of parasites who'd thrived on the slower pace. Relatively speaking those markets have become more efficient, not less!
Justin: you could potentially target a specific stock if you knew that they were scheduled to make a post-close announcement. There is after-hours trading, but it's typically a much thinner, more volatile market.
If you want a real movie-plot threat, combine synch problems with the flash-crash phenomenon, where a smaller or larger chunk of the market undergoes a huge price drop for a few seconds or minutes because of HFT fluctuations. Wait for a flash crash (or engineer it yourself if you know how) and then DoS the exchange, extending the period of low valuation from minutes to hours, during which a collateral call comes in...
This guy has never heard of using RF-transparent covers over antennae, for example to disguise them?
Someone altering the time on the clocks isn't the threat they should be worrying about.
They have stripped all the security controls out because they introduce latency. There is custom software and the developers are on the inside. The developers are the traders. The system is in a constant state of upgrade to squeeze out ever more speed. Introduce a very small amount of latency along the way and you fix the system to favor one person over another.
Arlen (see link to Arlen talk above): "Is it even possible to trust within this framework?"
"Au contraire - markets breed liquidity. High Freq Trading knocks out an older class of parasites who'd thrived on the slower pace. Relatively speaking those markets have become more efficient, not less!"
So soon after the big market crash and we've already forgotten how fast the players in financial markets can desiccate the system.
Come on, that anti-theft bars very often beeps falsely, it's everyday confusion which nobody really is worried about.
Wave Bubble A design for a self-tuning portable RF jammer
"wo Wavebubbles. Left is an earlier revision with the top removed and with external antennas. Right is v1.0 with internal antennas, fit into a pack of cigarettes.
This website details the design and construction Wave Bubble: a self-tuning, wide-bandwidth portable RF jammer. The device is lightweight and small for easy camouflaging: it is the size of a pack of cigarettes.
An internal lithium-ion battery provides up to 2 hours of jamming (two bands, such as cell) or 4 hours (single band, such as cordless phone, GPS, WiFi, bluetooth, etc). The battery is rechargeable via a mini-USB connector or 4mm DC jack (a common size). Alternately, 3 AAA batteries may also be used.
Output power is .1W (high bands) and .3W (low bands). Effective range is approximately 20' radius with well-tuned antennas. Less so with the internal antennas or poorly matched antennas.
Self-tuning is provided via dual PLL, therefore, no spectrum analyzer is necessary to build this jammer and a single Wave Bubble can jam many different frequency bands - unlike any other design currently available! To reconfigure the RF bands, simply plug it into the USB port of your PC and type in the new frequencies when prompted. Multiple frequency ranges can be programmed in, each time the device is power cycled it will advance to the next program in memory.
While the documentation here is both accurate and complete (as much as possible), the construction of such a device is still an advanced project. I would not suggest this as even an 'intermediate' skill project, considering the large amount of difficult SMT soldering (multiple TSSOP and SOT chips, 0603 RC's), obscure parts, and equiptment necessary to properly construct and debug.
This design is not for sale or available as a kit and never will be due to FCC regulations. Please do not ask me to assist you in such matters.
All original content for this project is distributed open source under Creative Commons 2.5 Attribution / Share-Alike."
Wave Bubble was developed under support by EYEBEAM during my R&D fellowship at the Open Lab, thanks!
Much of the RF gain-stage design and layout was done in collaboration with Adam J. O'Donnell and the Cult of the Dead Cow
Original design work was done at MIT Media Lab/Computing Culture as part of my M.Eng thesis and based on the inimitable work at GBPPR.
As some people have pointed out, NTP isn't designed to provide the sort of precise synchronisation across a network that may be needed for High Frequency Trading. The protocol commonly used is IEEE 1588 Precision Time Protocol. With hardware assistance, this can achieve sub-microsecond variation across an Ethernet LAN over some hours of gradual convergence.
A master PTP server may use a GPS receiver as a precise global time reference. But hardware assistance for PTP normally includes a clock driven by a very stable oscillator with a configurable multiplier. If it suddenly becomes necessary to make significant adjustments to keep this clock in sync with the GPS time signal, that in itself ought to raise a red flag. Of course you won't immediately be able to tell which of them is faulty...
The iranians spoofing/jamming GPS is all very exciting, but then why did they take so long to find the thing afterwards?
Its all far easier to imagine it was a total mechanical engine failure, or bird-strike to fuel tank or something.
Version 2 will clearly have two engines ;)
As someone before me said: this sort of "spoof" can be done in a relatively easy way with a delay line. Such equipment can be, and have been, built from off-the-shelf equipment and be small enough to fit in a car. Even military GPS is sensitive to this type of spoofing, since no knowledge of the P-code encryption details is needed when the signal is just delayed.
There is a remedy though - beamforming antenna arrays. An array of GPS-antennas is used to create one virtual antenna per GPS-satellite with very narrow beamwidth. Thus spoofed signals, even if stronger, will be suppressed. The technology is basically the same as in modern ESA radars (or sonars for that matter.)
GPS spoofing is reality
I don't think anybody here doubts that (especialy me, having been one of the few who have actually demonstrated it in the faces of those who denied it was possible many years ago).
The question is more if we belive that these micro second trading systems will be effected sufficiently to "bring down the Western world" etc that some politicos think it will.
Personaly I don't think so for a whole heap of reasons. I would be more worried about other security aspects of these micro second trading systems and somebody then usuing "GPS jamming" as an excuse.
The real question people should be asking is why do these idiotic trading systems exist in the first place?
As I said a few days ago significant money cannot be made in stable trading systems because simple models will work for prediction.
Therefor you have two things you can do, make more trades in a given time or make the market unstable in a way known only to your (and possibly one or two others) predictive model.
As others have noted in the past on analysing trading patterns it appears very likely some very large players in the market are doing both.
What many people appear to have forgoton is that these esoteric systems are doing nothing in the way of making "real value" (that's done by investing in manufacturing etc to increase utility etc). Nore as on person above thinks do these systems create liquidity in anything other than their own closed market. So if they don't add "real value" and take out "monetary value" then the only thing left they can be creating is inflation.
You might not be aware of it, but usually GPS is used to synchronise an already available clock. You can buy an 'atomic clock' based on the same technology the big ones are working and use GPS to get the last sub-nanoseconds of synchonisity. I used something like this for channel measurements for mobile communication and if you disconnect the GPS antenna and the temperature has no mayor impact, the clock is still available and in sync for a few hours.
I know at least one banking facility how has a local setup of a clocking device (rubidium based) which even does checking against NTP.
Like Clive, I'm more worried about the high-speed trading than the time-signal tricks.
If you're a dishonest trader there are probably more attractive and straightforward types of fraud available than messing with time signals, and if you're a rogue saboteur you should go find fiber-optic cables in lower Manhattan and apply a machete to them until someone gets upset.
High-speed trading on the other hand--as Clive says there's not much point to it socially (the stock price should end in the same place, and the machines don't add information), and it's now a couple of times we've seen the movie where smart people are sure their complicated strategies will print money, and they do until they don't, and we all pay.
You're saying a system that cares about the order in which orders are placed is "insane"?
I think you might need a dictionary. Or a psychologist.
There are many applications that rely on accurate timing:
2) Civil aviation
4) Just about anything Military
6) Local positioning systems
8) Transport systems (eg Railways)
9) Singalling systems (eg. Traffic control)
10) synchronised radar systems
11) Forensic systems
12) Some critical telemetry systems
Getting consistent accurate signals is hard to do and NTP is not reliable and or accurate enough.
Interesting is that the mobile telco providers set the clock on your android device but only and do so on a signal that drifts +- 1 seconde either way, so you never have accurate time! It appears this is intentional, given that you cannot synch (e.g to NTP) the time on an android device without root access.
Techonolgy on this is extreemly interesting and we are now getting chips on the market that can keep signals accruately enough for the applicatoins listed above for longer periods of time.
Also Power transmission. This is a critical one.
Me too on the Sting remake. Grift 2.0.
The next Carrington Event level solar storm will take care of all of this. Of course, we will have all of about 8 minutes to think about it though. :-)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.