Time Attacks (Timing Attacks; sdwdate and/or ntpd downgrade attacks)

Time Attacks (Timing Attacks; sdwdate and/or ntpd downgrade attacks)


What are the sine qua non indicia of attacks in this form?

Are sudden, time desynchronisations in the Whonix Gateway and Workstation > 30 m, but suspiciously within 1 h of atomic time, but also different vs. one another, even considering the boot clock randomization settings for vbox, that don’t cause a “broken” sdwdate “lock” in the sdwdate-gui tray icon necessarily, prima facie evidence of such an attack’s success? Of adversarial sophistication?

Obviously, to the victim, such an attack would only raise to a level of suspicion that he has been at best correlated if not owned more outright upon a background of other physical indicia and a heightened vulnerability due, e.g., to physical location, etc.


If the above are strong evidence of such an attack’s success, assuming a (probably quasi-) state actor threat model, what is the practical upshot? Consequences? Mitigations?

1 Like

sdwdate can have issues for many reasons. Onion time sources could have slow/fast clocks (not likely). Could be user error (confusion about time zones).

prerequisite knowledge;

See also sdwdate log to see what happened.

No. See;
Valid Compromise Indicators versus Invalid Compromise Indicators

(Whonix is based on Kicksecure.)

See also:

1 Like