If your apps or gadgets break down on Sunday, this may be why: Gpsd bug to roll back clocks to 2002
Alternative headline: Yet another widely used project maintained thanklessly by 'some random person in Nebraska'
Come Sunday, October 24, 2021, those using applications that rely on gpsd for handling time data may find that they're living 1,024 weeks – 19.6 years – in the past.
A bug in gpsd that rolls clocks back to March, 2002, is set to strike this coming weekend.
The programming blunder was identified on July 24, 2021, and the errant code commit, written two years ago, has since been fixed. Now it's just a matter of making sure that every application and device deploying gpsd has applied the patch.
The Network Time Protocol (NTP) provides a way for devices and services to keep accurate time using a hierarchical set of servers rated in terms of precision, with "stratum 0" representing the most accurate time sources.
Gpsd is a service daemon that translates data from Global Positioning System (GPS), Global Navigation Satellite System (GNSS), and Automatic Identification System (AIS) transmission sources into a common format that's suitable for client applications. It's used to provide clock information to ntpd, the NTP daemon used by operating systems, to sync a device's system clock to time provided by a GPS/GNSS/AIS receiver – GPS satellites rely on multiple atomic clocks so their time data is highly accurate.
Gpsd is widely used. It's implemented in applications like Kismet, GpsDrive, gpeGPS, roadmap, roadnav, navit, viking, tangogps, foxtrot, obdgpslogger, geohist, LiveGPS, geoclue, qlandkartegt, gpredict, OpenCPN, gpsd-navigator, gpsd-ais-viewer, and Firefox.
It's available in Android, Linux, macOS, and other Unix-like operating systems. The gpsd website says the software shows up in mobile embedded systems like UAVs, robot submarines, driverless cars, and in applications used in marine navigation and military IFF (Identification Friend or Foe) systems.
GPS satellites keep track of the number of weeks that have passed since January 5, 1980. And they broadcast the week number as a 10-bit unsigned integer, which can represent values from 0 to 1023. So every 1024 weeks, or 19.6 years, the system rolls over.
The first time this happened was at the end of Saturday, August 21, 1999; the second time was at the end of Saturday, April 6, 2019. The third GPS week rollover is not scheduled to occur until Saturday, November 20, 2038, but the bug in gpsd – related to an integrity check routine in anticipation of a future leap second – will reset the GPS week number as that Saturday concludes and Sunday begins.
Gary Miller, maintainer of gpsd, acknowledged making the error, a simple miscalculation. The bug was introduced at the end of 2019 and is present in versions 3.20, 3.21 and 3.22. The latest official release with the fix is 3.23.1, from September 9, 2021.
Zero to 100
The patch has been backported by Debian to their 3.22 series, Miller told The Register in an email.
Asked to estimate the likelihood that things will go awry has a result of people not patching this bug, Miller said, "Depending on what GPS/GNSS receiver is in use, and how it is configured, the chance is either 0 per cent or 100 per cent. Devices configured to output 'Standard' NMEA, will not be affected. Devices, like those from u-blox, running in binary message mode, will be affected."
- Microsoft admits to yet more printing problems in Windows as back-at-the-office folks asked for admin credentials
- Bad news, AMD fans: This week's Windows 11 update didn't fix your performance woes (they may be worse)
- Microsoft Patch Tuesday bug harvest festival comes to town
- Brewdog might make an OK pint but its security sucks: Flaw opened door to free beers for anyone
Miller, who is retired, told The Register in a phone conversation that he maintains gpsd because it's more interesting than playing Sudoku. Nonetheless, he'd welcome support for the project, particularly GPS equipment that he could use for testing.
"Some random guy, who refuses to out himself, used his company GPS simulator to find this bug a few months ago," he said. "I sure wish I had some equipment like that. But most GNSS manufacturers just ignore gpsd. Even when we find bugs in their stuff."
Miller, who asked that GPS kit maker Meinberg be recognized for its support for gpsd, said he's not sure who is actually using the software he maintains. "I know for a fact that a lot of military stuff uses it," he said, pointing to "man-portable" or "manpack" radios. "I know it's in at least one rocket system. I'm told it's in tanks and delivery trucks and divers' watches."
I know for a fact that a lot of military stuff uses it
But determining which of these systems, if any, will suffer adverse effects is difficult. Older versions of the software, 3.19 and earlier, should be okay because they preceded the offending commit. So manufacturers who have not updated their software in years may emerge unscathed.
"The people who are going to be potentially blind-sided are the people who throw up a GPS network time protocol client and look at it every two years – which is a lot," said Miller. "I don't know how big ... I suspect we'll find versions of NTP appliances that got updated two years ago and they all fall flat on the 24th."
Miller suggested financial firms might also run into compliance problems. By law, he said, every market transaction has to be accurately time stamped. If somebody bought the wrong GPS NTP time server and put it in their brokerage house, it could get ugly, he said.
"There will be issues," said Miller. "A few people will be blindsided, and a few of them will take it out on me and it's my mistake."
Life imitates art ... Source: Randall Munroe/XKCD. Used with permission
In his email, Miller included a link to an XKCD comic from last year that's widely known among software developers. It depicts a complex tower of blocks, representing "All modern digital infrastructure," propped up by a fragile column labelled, "A project some random person in Nebraska has been thanklessly maintaining since 2003."
"Well, I'm the guy from Nebraska," said Miller. "Omaha to be precise." ®
- AdBlock Plus
- Advanced persistent threat
- Black Hat
- Black Hole
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Network interface card
- Network switch
- Palo Alto Networks
- Programming Language
- Quantum key distribution
- Radio Access Network
- Remote Access Trojan
- Retro computing
- RSA Conference
- Search Engine
- Software bug
- Software-defined network
- Software License
- Streaming video
- Submarine cable
- Systems Approach
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- World Wide Web
- Zero trust