Aperture Podcast: Gary E. Miller on the GPSD Rollover Bug
By Michael Mimoso | Oct. 28, 2021
GPSD—an open-source service daemon that collects time data from global positioning systems and translates it for GPS-reliant devices and applications—lived a relatively obscure life for decades until last week.
A bug disclosed to the maintainers of GPSD months ago and patched via an update made available in August threatened to rollback time on Oct. 24 to March 2002 for users. The risks from this Y2K-like event could have had widespread impact given GPSD prevalence in many mobile embedded systems, as well as drones, robot submarines, driverless cars, recent generations of manned aircraft, marine navigation systems, and military vehicles. There are also industrial applications where GPSD is used, including things such as flow meters on pipelines.
The bug could have rolled back time on GPSD-reliant devices 1,024 weeks, almost 20 years. Such an event could have affected data integrity with systems dependent on timestamps, for example. Some sensors transmit data regularly and are part of larger systems that take actions based on sensor readings.
In this episode of Claroty’s Aperture Podcast, GPSD principal maintainer Gary E. Miller joins to discuss the bug.
During the discussion, Gary covers:
An in-depth discussion about GPSD’s development and usage
Why the bug was in the codebase
Potential impacts to the various use cases for GPSD
Why changes to the planet that affect time itself helped to blunt the impact of this vulnerability
Some of the management challenges that surround open-source projects.