Time Sensitive Networking (TSN) will be an integral component of industrial networking. Time synchronization in TSN is provided by the IEEE-1588, Precision Time Protocol (PTP) protocol. The standard, dating back to 2008, marginally addresses security aspects, notably not encompassing the frames designed for management purposes (Type Length Values or TLVs). In this work we show that the TLVs can be abused by an attacker to reconfigure, manipulate, or shut down time synchronization. The effects of such an attack can be serious, ranging from interruption of operations to actual unintended behavior of industrial devices, possibly resulting in physical damages or even harm to operators. The paper analyzes the root causes of this vulnerability, and provides concrete examples of attacks leveraging it to de-synchronize the clocks, showing that they can succeed with limited resources, realistically available to a malicious actor.

时间敏感网络 (TSN) 将成为工业网络不可或缺的组成部分。TSN 中的时间同步由 IEEE-1588 精确时间协议 (PTP) 协议提供。该标准可追溯到 2008 年，略微涉及安全方面，特别是不包含为管理目的而设计的帧（类型长度值或 TLV）。在这项工作中，我们展示了攻击者可以滥用 TLV 来重新配置、操纵或关闭时间同步。这种攻击的影响可能很严重，从操作中断到工业设备的实际意外行为，可能导致物理损坏甚至对操作员造成伤害。本文分析了此漏洞的根本原因，并提供了利用它使时钟去同步的攻击的具体示例，