US warns of risk of global GPS time synchronization problems on Sunday

The US Cybersecurity & Infrastructure Security Agency, or CISA, warns of possible GPS problems that could occur from Sunday. A bug in certain versions of gpsd service daemon will cause devices’ internal clocks to jump back nearly 20 years.

According to the warning, it concerns devices that run gpsd version 3.20, 3.21 or 3.22. Those versions of the daemon were released between December 31, 2019 and January 8, 2021. Version 3.23 was released on August 6 of this year, leaving a little over a year and a half in which that then latest version of gpsd had the bug. CISA “advises administrators of critical pieces of infrastructure that use GPSD to keep track of time, to verify that they are running GPSD version 3.23 or newer.”

GPS software does have a rollover moment, but that happens every 1024 weeks, or 19.6 years, and that event has already happened in 2019. That’s not what this bug is about: the problem lies with a calculation error made in a piece of code written to anticipate a leap second that will occur sometime in the future. If the bug is present in a system, it will occur on Sunday morning and the time on the GPS device will go back to March 2002. If that happens, there is a good chance that a shift will go wrong.

According to the man behind gpsd, the system is used in many and different places: “in mobile embedded systems, and in the map service on Android phones. It is also in drones, robot submarines and self-driving cars. GPSd is also increasingly used in recent generations of manned aircraft, naval navigation systems and military vehicles.” Speaking to The Register, GPSD programmer Gary Miller said financial institutions could be in trouble if they run a GPS-NTP server with the affected version of GPSD on it. It is not known on what scale it will go wrong.