NTP security questions


#1

I have several IoT devices with hard-coded DNS and NTP addresses.
I used some firewall rules to redirect all those requests to my Omnia.
The Omnia is getting the time from several NTP servers and it is a NTP server itself for all the clients.
NTP requests are not signed or encrypted, I was able to redirect the client to use my NTP server very easily.
Is there a risk that someone may do the same with my Omnia? A man-in-the-middle NTP attack?
If the Omnia internal clock is changed to the wrong time, would DNSSEC and TLS stop working?
Is this mitigated by the RTC chip?

From your documentation

When cryptography is used, exact time may be of utmost importance. Without proper time and date, electronic signatures cannot be correctly verified because all certificates have limited validity. This is true for HTTPS certificates as well as for DNSSEC. This is why, unlike other routers, Omnia has an RTC chip with battery backup which ensures that even after loss of power, the date and time are properly preserved. This mitigates one particular type of security attacks.


#2

Yes. You don’t really need exact time, i.e. a couple hours slide is OK I believe, even from security point of view. Turris has some IP addresses for NTP hard-coded by default, so it should be able to recover from this.

Secure NTP: I don’t really know anything about this, but I haven’t heard of a widely usable secure version yet. In theory, a secure tunnel to a trusted NTP server could do it easily, though it’s a bit of chicken-egg. Obtaining private keys is still rather hard, even if they could be expired for years, so I don’t expect these kinds of attacks are practical nowadays (beyond DoS, meaning it’s more convenient to attack via other means).


#3

The fully fledged ntpd daemon, which since TOS 3.11.x is not installable any more, provides certain hardening features which the castrated busybox version is lacking

interface listen ip
interface ignore wildcard
restrict ip
restrict default kod notrap nomodify nopeer limited
restrict source notrap nomodify noquery
restrict ip mask 255.255.255.0 notrust