There’s a seldom-talked about cybersecurity threat that could easily take out ATMs, card networks, exchanges, trading floors and other pieces of financial services infrastructure.
It’s in the way we tell time.
Digital time clocks obtain the time through signals from Global Positioning System satellites that are subject to vulnerabilities, some malicious and others not.
Because of this threat, in the past year, large U.S. banks have been buying atomic clocks that cost $100,000 to $1 million each and are linked to the U.S. Naval Observatory. These give the banks an independent way to verify that their time servers are in sync with the rest of the world.
“The big financial institutions are very serious about protecting access to the precise time and have put in some of the most pristine solutions in the form of these very expensive atomic clocks,” said Kevin Coggins, vice president and lead of positioning, navigation and timing at Booz Allen Hamilton and former cross-functional team leader for PNT across the U.S. Army.
He and others spoke in interviews conducted at a conference hosted by The Alliance for Telecommunications Industry Solutions at the New York Stock Exchange on Tuesday.
Financial companies have done so partly because they have to: The Securities and Exchange Commission’s Rule 613 requires participants in U.S. equity and options markets to synchronize their clocks to within 50 milliseconds of the time maintained by the National Institute of Standards and Technology.
They also do it to be competitive. In trading especially, time lags as small as 10 microseconds can be a deadly disadvantage.
And they do it to stay in business. In any financial network, lack of synchronization among nodes leads to outages. This is true for ATM, card and branch networks. It will also be true as banks adopt distributed-ledger technology.
What is the vulnerability?
The GPS system, which is run by the U.S. Air Force, is generally considered to be accurate. Computers, smartphones, ATMs and other connected devices all rely on it.
It is not that the satellites themselves, which are 12,500 in the air, are getting hacked. The vulnerabilities come about through the signals they emit, which are weak by the time they reach Earth.
“That means that any noise or countersignal on that frequency is going to block reception,” said Dana Goward, president of the Resilient Navigation & Timing Foundation, a nonprofit dedicated to promoting policies that would protect the GPS network.
Any server or device that generates a little bit of noise, intentionally or unintentionally, can prevent a signal from reaching a nearby receiver.
In 2012, a New Jersey truck driver who plugged a $29 GPS jamming device into the cigarette lighter of his company pickup truck to hide his location from his employer interfered with Newark airport’s satellite-based tracking system every time he drove by.
“This happens every day,” Goward said.
Nature is a threat. In a large solar flare, like the Carrington Event in 1859, GPS signals will not get through and satellites may be destroyed, Goward said.
The receivers of GPS signals — most connected devices — are also vulnerable to cyberattack.
“Every GPS receiver is a computer,” Coggins said. “The GPS signal is a computer signal, just like an ethernet connection to a router, except in the case of a router, there are security protocols in place. We’ve had cases of people replacing router firmware with malware in GPS receivers. It’s a sensitive topic because when you look at everything we put GPS into and the fact that it is not as secure as a router, you can’t replace the firmware of most GPS receivers that we’ve employed. It’s expensive to change. Where do you begin? It’s a hard problem for a civil users, and it’s a hard problem for the Department of Defense.”
Hackers are of course a threat.
At the 2015 DEFCON hackers convention, a presenter showed step by step how to build a GPS spoofing device and sold bags of parts to do so for $300, Goward said.
“The next month, the Department of Homeland Security announced that one of their border patrol drones had been hacked by a drug cartel and taken off course through GPS spoofing,” he said. “It’s gotten easier since then.”
The Russian government deceives GPS on a regular basis to protect its officials from drone attacks, he said. The Chinese also spoof GPS frequently in many coastal areas to hide the location of ships, Goward said.
The SEC also worries about the vulnerability of the GPS network.
“We’ve had discussions on that with the Department of Homeland Security,” said Austin Gerig, who is head of the SEC’s Office of Data Science and will become the agency’s first chief data officer on Monday. “We haven’t done anything on rules, regulation, compliance and so on. But we have spent a bit of time trying to assess the likelihood, trying to figure out how we might make it more robust by requiring backups and multiple time servers, especially for regulated entities like exchanges, which have critical infrastructure that financial markets rely on.”
The SEC is likely to assess the risks of GPS and time server vulnerability and gather information on how much the industry has thought about this already and tried to develop solutions on its own, he said. Then it would update time synchronization rules and regulations that would require the system to be more robust for certain entities.
Who should be worried?
“It seems like something a small number of people should be freaked out about,” said Daniel “Dazza” Greenwood, a researcher at MIT Media Lab and founder of CIVICS.com. “Anyone who is responsible for running major financial infrastructure should be thinking about it.”
The large banks should and do worry about this, Goward said.
“But from our perspective as a nonprofit, we worry the least about the financial sector and defense, because they have money, power and manpower, so they ought to be able to protect themselves,” he said.
Major financial hubs in Chicago, New York and San Francisco should be reasonably well protected because they have dedicated fiber and suites of atomic clocks they can use to insulate themselves against any problem with GPS, Goward said.
What his group worries more about are ATM, credit card and point-of-sale networks.
“There are tens of millions, if not hundreds of millions, of nodes that have to be synchronized,” he said. “There is no standard architecture within one company, especially as companies merge and so forth. So it’s impossible to know which of the nodes have which kind of backup clocks, what quality or if they have backup clocks at all. So it’s what you would call a wicked problem.”
What measures should banks be taking?
Only the Air Force can make changes to the GPS system itself. The Air Force is upgrading to more powerful, jamming-resistant satellites being built by Lockheed Martin that are scheduled to be deployed by 2034.
But everyone else can take resiliency measures to prevent being affected by a GPS disruption or outage.
“The problem with the GPS receiver in your phone or your iPad is that it inherently blindly trusts the signal coming in,” Coggins said. “It doesn’t have to be that way. We can incorporate standards and architectures where I pay attention to the signals, I look for things that can give me some degree of trust or mistrust.”
Booz Allen Hamilton is working on a system that would patch the software on GPS receivers and monitor them for signs of intrusion.
A host of vendors offer options to protect timekeeping from any GPS issues. Meinberg makes time servers that work with commercial satellites. AccuBeat and Microchip are among providers of atomic time clocks that independently verify the time. AccuBeat also offers Time FireWall, a system that protects financial timing networks against jamming and spoofing attacks. OPNT offers a terrestrial-based global position, navigation and timing system that it says outperforms GPS.
The ultimate goal
Goward helped write and promote the National Timing, Resilience and Security Act, which President Trump signed in 2018. It requires the Department of Transportation to set up a national, terrestrial, wireless, difficult-to-disrupt timing signal for the country by December of this year.
“They’re going to miss that deadline,” Goward said. “But they’re moving in that direction.”
Goward advocates for a national system in which time is authenticated and can be trusted.
“We don’t have that right now,” he said. “The Air Force is responsible for transmitting GPS signals from satellites. And in their documents they say once it leaves the satellite, we’re not responsible, there’s nobody responsible for protecting the receiver here in America or any place else. We have to have some leadership to have to change that.”