Time Manipulation Allows Hackers to Trigger Y2K38 Bug Today
Widely known time-related software bugs that could cause significant disruptions when triggered in more than a decade are actually exploitable by hackers today, researchers warn.
One of the bugs, known as ‘The Year 2038 problem’ and Y2K38, could cause computers to malfunction on January 19, 2038. The issue affects systems that use a 32-bit integer to store time as the number of seconds that have passed since the Unix epoch (January 1, 1970). A 32-bit signed integer variable has a maximum value of 2,147,483,647, which will be reached on January 19, 2038. When the number exceeds its limit and overflows, systems will interpret the date as a negative number, resetting it to December 13, 1901.
Similarly, the ‘Year 2036 problem’ can cause significant disruptions in 2036. This issue is related to the use of the Network Time Protocol (NTP) epoch (January 1, 1900). It affects systems that use older versions of NTP and it will be triggered earlier, on February 7, 2036.
Triggering these rollover bugs can cause systems to crash and, in addition to causing disruptions, it can have significant cybersecurity implications.
In the case of industrial control systems (ICS) and other operational technology (OT) systems used in critical infrastructure, a time-stamping error could lead to a chain reaction of failures, causing systems to crash, data to become corrupted, or safety protocols to fail, potentially leading to physical damage or risk to human life.
In addition, many cybersecurity systems rely on accurate time, including SSL/TLS certificates, logging and forensics solutions, and time-based authentication and access systems. Threat actors could exploit the Y2K38 bug to bypass security, cause system outages, cover their tracks, or to gain unauthorized access to systems.
The Year 2036/2038 bugs are reminiscent of the Y2K bug, which in the year 2000 could have caused widespread failures due to mainframe computers and business systems interpreting the year as 1900 because programmers often used only the last two digits of the year. The Y2K bug was addressed through a global effort that involved updating code, upgrading software, replacing old hardware, and implementing new standards.
However, the Year 2036/2038 bugs are not as easy to address, as they impact a very large number of systems, including millions of specialized embedded systems that are difficult or impossible to update.
Moreover, the Y2K bug was in many cases fixed at the software level. The 2036/2038 bugs, on the other hand, in many cases may require fundamental changes to system architecture — migrating from 32-bit integer to 64-bit integer, which can be complex and expensive, particularly in the case of older hardware and legacy software.
Researchers Trey Darley and Pedro Umbelino have been raising awareness of the Year 2036/2038 bugs and they have launched a project named Epochalypse Project.
In a recent presentation at the BruCON security conference, Darley and Umbelino warned that threat actors do not need to wait until 2036 and 2038 to exploit the bugs.
Attackers could use various time manipulation methods such as GPS spoofing, NTP injection, file format field tampering, and protocol timestamp manipulation to set the time on a targeted system to the year 2036 or 2038 to trigger the bugs whenever they wish.
While in some cases there may be a warning to users when time is manipulated (such as in the case of TLS), in many cases, such as for machine-to-machine communications, there will not be any alerts.
“We are vulnerable today,” Umbelino warns. “A threat actor with a minimal amount of sophistication can exploit these rollover issues via time manipulation and attack our infrastructure today.”
Umbelino, who works at cybersecurity firm BitSight, has identified hundreds of thousands of internet-exposed devices that are potentially impacted, including servers, ICS, and smart TVs. There are also many other impacted systems that are not visible from the web.
The researcher has confirmed the impact of Y2K38 on cars, routers, printers, smart TVs, alarms and other physical security systems, smartwatches, and ebook readers. He believes highly critical assets such as nuclear submarines, satellites, telecoms systems, power plants, water facilities, missile systems, planes, and trains could be impacted as well.
Umbelino has started notifying vendors whose products have been found to be vulnerable to Y2K38 attacks. One vendor is Dover Fueling Solutions, which has confirmed that its ProGauge products are vulnerable. These are automatic tank gauging (ATG) devices that are used by gas stations and other organizations to manage fuel inventory, prevent leaks, ensure compliance with environmental regulations, and improve operational efficiency.
The cybersecurity agency CISA announced recently that Dover has released updates for its ProGauge products to patch several vulnerabilities, including CVE-2025-55068, which enables an attacker to manually change the system time, potentially leading to a denial-of-service (DoS) condition.
Umbelino told SecurityWeek that he expects other CVEs to be assigned for time-manipulation vulnerabilities he discovered in ATGs from a different vendor, as well as for flaws he identified in other types of products.
Patching these types of vulnerabilities can prevent hackers from triggering the Y2K38 flaw. In addition, Umbelino believes that treating the 2036/2038 rollover as a vulnerability instead of a bug (as in the case of Y2K) has some benefits.
“Dealing with a vulnerability, we have other frameworks we can use to classify and prioritise what needs to be fixed, CVSS for example. And it makes sense, if it affects the CIA triad (confidentiality, integrity, availability) and can be triggered by a malicious actor, it is a vulnerability,” the researcher explained.
Darley and Umbelino pointed out that while it’s unlikely that all vulnerable systems can be replaced or updated in time, stakeholders should at least identify and prioritize the most critical systems, implement fixes where possible, and develop contingency plans for systems that cannot be updated. In addition, global coordination is needed to manage the transition.
However, this is not an easy task. As Umbelino described it for SecurityWeek, “By 2038 we will face a challenge that completely eclipses everything that was done in Y2K, with likely 1000 times more connected systems than we had back then. We don’t have either 1000 times more time nor 1000 times more money. We don’t even know where are all these systems that will break.”
Related: No Patches for Vulnerabilities Allowing Cognex Industrial Camera Hacking
Related: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking
