Well, one example of a timing attack is replaying. It’s a fucking classic, chefs kiss kind of signaling attack where you bypass the need to understand what’s going on by just saying it verbatim using your capacity to accurately reproduce some information, easily sidestepping all kinds of shibboleths.

Before computers replaying was used during both ww1 and ww2 to confuse and misdirect radio operators and back when keyless entry was a newfangled thing it was used to spoof the unique signals each manufacturer chose to use. Even after they all switched to rolling codes, replaying is a way to both desynchronize the owners fob and replay their command at almost the same time, getting you into the car.

In computing, replaying would be a fantastic way for a man in the middle to pretend like he knew some password or was some service, indicated by an encrypted or hashed transmission the man in the middle could just store and replay. Darla can listen in to the way alfalfa says the password to the he man woman haters club and with good practice, recite it convincingly!

If Darla were a computer then even alfalfas securely hashed password would be no problem because she doesn’t need to pronounce it, but just reproduce it in all its unpronounceable hexadecimal glory.

But if the instructions for the he man woman haters club authentication was instead an encrypted transmission saying “the clubs clock says it’s 4:15.45.6789 pm April twentieth 1969. When you reply with your password hash, include the clubs clock time down to the millisecond.” Now Darla can’t just replay alfalfas hashed authentication token because it’s the wrong time!

Because of ntp, girls remain not allowed.

How would such an attack affect the printer? Who can say! I can speculate that an interloper could make it do things the user could, like print stuff, burn up the nozzle or smash into its extents. The printer controller is basically just a little computer so gaining access to it as an authenticated user might make it easier to escalate privileges and use it like any other computer might be used by a malicious actor as well.

Let’s say though, that part of the out of the box setup is connecting to the printer through some app or program. You want encrypted tls for that and you want the user or their software to exchange certificates to make it all official, but that technology requires that time be synchronized between the two devices in order to do so. If the printer has inaccurate enough time it can’t even negotiate a secure connection with the owners phone app they use to send it instructions.

So ntp makes sense in this case. If you’re gonna be doing communication you gotta do it responsibly and it’s good that iot stuff like this is making some effort!

E: I realized I glossed over some stuff assuming you’d make some jumps and in the cold light of morning that might not actually be the case.

Uhh, let me be clear: what is much closer to reality is that the guard doesn’t assert the clubs clock time but instead relies on all parties knowledge of utc (gmt but long and made by fat people) and there’s a snappy little back and forth between Darla and the door guard at the hmwhc where Darla asserts her systems time a few times and the door guard is able to use that to reasonably expect what a hashed token containing her understanding of the current time could be off by.

Now when she tries to pass alfalfas hashed password and current time token she fails because it doesn’t match her expected time or the door guards and there’s even possibly a record of who asserted and when, giving a forensic chain that can be used in legal proceedings against women!

Hashing is exactly what it sounds like, but math. Just like at the breakfast spot, it’s when you take your easily recognizable potato with the word “formosissima” carved into it and cut it into a bunch of equally sized pieces. It’s still all there, just made into a hash! If someone knew exactly your cutting process they could put the tater back together and have a big ol meltdown over it.

That simple system where you figure out how incapable of telling time your unknown, untrustworthy weirdo attempting to gain access to some resource is, then expect them to cough up a token that contains hashes of both that resources shared secret and the time and then check em out to make sure they’re reasonable is a super straightforward way to implement the “actually look at the id being presented at the bar” test in computers.

This is so widespread that you can’t do credit card transactions without it, can’t establish secure http connections to websites without it and most certainly can’t responsibly pass credentials back and forth without it.

But why would that be required if the printer is only on the local network? Because we can’t trust the local network any more than the internet! The end user could be responsible Laura, carefully considering what devices are allowed on her local network and rotating keys when any of those devices spend time on another network or they could be Steve who just kinda does whatever and hasn’t changed his password in over a decade.

What if we could trust the local network though? Well, in that case you’d want to be coloring inside the lines of the end users expected behavior a make sure to not predicate operating the thingamabob you’re selling on making insecure http connections that the browser pitches a hissy fit over.

Okay but what specifically do bad guys try to do with machines they’ve escalated privileges on? Well botnets are the obvious answer. Iot devices like appliances and whatnot are a juicy target too because once you’ve go one you can more easily find a quicker and more persistent way to get into more and suddenly that million plus unit install base is your oyster!

With all that hopefully a little clearer, why should these things even be on the local network? Well, you can’t do network printing if you’re not on the network, can you! It’s a feature that brings a lot more users to the table and removes reliance on any particular weird port or the increasingly untrustworthy universal port. Nowadays people expect it even!