NTPClient icon indicating copy to clipboard operation
NTPClient copied to clipboard

Published 20 hours ago verified publisher icon arduino-libraries

Do not trust blindly any NTP server from pool.ntp.org

Open jdoe1024 opened this issue 5 years ago • 2 comments
trafficstars

Anyone can set up a NTP server and have it registered in pool.ntp.org. An attacker can run such a server and decide to return wrong timestamps for whatever reasons. Also, these servers can be misconfigured and return wrong timestamps as well.

That's why most NTP clients query multiple NTP servers (3-4) and only adopt the time from servers with coherent timestamps. Something similar should be done in this library.

Also, the server response should be validated (the stratum field in particular, which must be between 1-15).

jdoe1024 avatar Mar 16 '20 02:03 jdoe1024

Yes, Do not trust blindly any NTP server from pool.ntp.org but you can add protection.

thekunalsaini avatar Mar 20 '20 07:03 thekunalsaini

@jdoe1024

thekunalsaini avatar Mar 20 '20 07:03 thekunalsaini