Andrew Heinzman
Some computers that base their clocks on GPS are rolling back in time due to a strange Y2K-like bug. The problem mainly affects industrial systems and infrastructure, such as NTP servers, which can fail or perform incorrectly without the correct time. But why is this happening?
Before we answer that question, we should do a quick look back at the Y2K Bug. Researchers in the 20th century realized that, because most computers based their clocks on the last two digits of a year, they would think that the year 2000 is actually 1900.
This problem could (and did) cause computers to wig out, but global software update initiatives led by governments and private companies effectively mitigated the Y2K Bug (it took a lot of work). We did such a good job preventing a Y2K catastrophe that, somewhat ironically, people now think of it as a big joke.
Today’s weird bug is similar to Y2K, sort of. The problem stems from a bug in some versions of GPSD, a GPS service daemon that lets phones, computers, military equipment, servers, and other computers pull data from GPS receivers.
This is going to sound like the jankiest idea you’ve ever heard, but the Global Positioning System keeps track of time by counting the number of weeks January 5th, 1980. It regularly broadcasts a 10-bit code to tell GPS receivers what time it is, but this 10-bit code can only count up to 1,023 weeks. Once that number is reached, the counter resets to zero.
That’s exactly what happened today, October 24th. Normally, computers using GPSD to determine the time would simply ignore that the Global Positioning System reset its date counter. But a bug in versions 3.20 to 3.22 of GPSD causes affected computers to think the date is March of 2002—exactly 1,024 weeks ago.
Funny enough, the bugged versions of GPSD were shipped until January of 2021. It seems that this problem was only identified a few days ago, when the Cybersecurity and Infrastructure Agency warned critical infrastructure operators that their systems may need an update.
People who operate servers, industrial equipment, or critical infrastructure should check that any systems using GPSD are running version 3.23 or later. Bear in mind that the effects of this bug may not be obvious on some systems.
Source: CISA via Malwarebytes
