Just imagine waking on Tuesday, January 19, 2038 to utter chaos: Your home electricity, water, and gas services are not working. Your home Internet is down. Your cell phone won’t connect. Your car won’t start. You can’t access your bank account or brokerage service. There is no TV or radio service. If you manage to get any news, you may learn that airports, stores, and schools are all closed, people are trapped in elevators, hospitals are experiencing critical equipment malfunctions, stock markets around the world have closed, there is worldwide traffic gridlock, and emergency services are completely overwhelmed.

The events described above, and much more, could actually happen, not due to terrorists or hackers, but instead due to Y2038.

What is Y2038?

You may be familiar with Y2K, which refers to issues due to the rollover from 1999 to 2000. By contrast, Y2038 stems from how time is fundamentally represented in digital systems, making it a more pervasive issue than Y2K. And of course, it will occur in the year 2038. Other time-related issues exist, but Y2038 is very likely the most consequential time-related issue of our lifetimes.

Y2038 is due to the representation of time in 32-bit signed integers. Many digital systems use “Unix time”, which counts the seconds that have elapsed since January 1, 1970 (the Unix epoch). When a 32-bit signed integer is used for time in seconds, it can only hold a maximum of 2,147,483,647 seconds. At 03:14:08 UTC on January 19, 2038, the count will overflow, flipping to a negative number, leading systems to interpret the date as December 13, 1901. Many systems are not coded to handle dates before 1970 which may lead to system crashes, incorrect timestamps, data corruption, and ultimately failures in critical infrastructure.

Why Does This Matter?

Essentially, ALL digital systems are potentially impacted by Y2038.

Y2038 could significantly disrupt digital systems worldwide, leading to devastating consequences, such as those described at the top of this article. Some of the underlying issues, especially in embedded systems, could take months or even years to address, requiring new hardware and/or significant software changes that may be neither simple nor cost-effective. The financial impacts and legal risks (lawsuits, regulatory penalties) of the ensuing downtime could be staggering, even existential to organizations of all sizes.

Obviously, finding and fixing Y2038-related issues before they cause catastrophes is critically important. A smooth and uneventful continuation of our modern digital world in 2038 and beyond is still possible, but understanding and addressing Y2038 is crucial.

Aren’t all modern digital systems already 64-bit, or will be by 2038?

The short answer is no, not even close.

Most modern servers, laptops, and cell phones are indeed 64-bit systems with 64-bit representations of time. These systems should not be susceptible to Y2038, but applications running on them are still vulnerable to coding bugs, like improperly casting a time value to a 32-bit integer. Such bugs can also exist in the libraries used by applications. Furthermore, many 64-bit systems can run 32-bit applications that are susceptible to Y2038.

Even 64-bit applications can have time-related issues if they rely on legacy code or external systems that are vulnerable to Y2038. For instance, if a 64-bit application communicates with a 32-bit server or device for time-dependent operations, the interconnected ecosystem may still pose significant risks. Just one vulnerable component in an interconnected system can compromise the entire infrastructure.

Importantly, 32-bit embedded systems are far from obsolete. They remain commonly used in a wide variety of industries due to their efficiency, cost-effectiveness, and ability to meet long-term operational needs. Embedded systems control vital infrastructure such as power grids, industrial machinery, telecommunications equipment, and transportation systems, where stability and reliability over decades are often prioritized over cutting-edge upgrades. These systems may have been deployed years ago with no expectation of requiring updates, making them especially vulnerable to Y2038.

What Industries are at Risk of Y2038?

Most industries now use digital systems and are at risk. The industries that are most at risk include:

• Finance and Banking: Transactions, credit card processing, ATMs, and financial databases.
• Transportation: Aviation (planes, helicopters, drones), railroads, automobiles, public transportation, shipping services, traffic control (stop lights, toll stations), and driver databases.
• Telecommunications: Network infrastructure (wired Internet, cellular towers, backhaul), satellites, gateways, switches, routers, WiFi, and other communication systems.
• Critical Infrastructure: Utilities (electric, water, gas), healthcare systems, and government services.
• Military and Defense: Aircraft, ships, tanks and other vehicles, weapons and weapon systems, RADAR, and surveillance and other equipment.

How to Prepare for Y2038?

The first step is to audit existing systems, especially embedded devices and time-dependent applications, to determine if they are vulnerable. Businesses must assess both their hardware and software, ensuring that interconnected systems, regardless of bit architecture, are future-proof.

For some systems, it is possible to test for issues by setting the system clock to a particular date before, at, or beyond 2038. Commercial tools are available to assist with this on common 64-bit systems, although not for 32-bit systems. When possible, this is a very useful technique for finding some issues, but it is not always foolproof. Analyzing each system’s hardware, application architecture, and source code is crucial for identifying vulnerabilities.

Static code analysis tools can assist in identifying at-risk systems and time-sensitive code. Automated analysis of large codebases helps pinpoint vulnerabilities that may otherwise go unnoticed, providing a clear roadmap to addressing these issues well before 2038.

Future AI-driven code analysis tools hold the promise of significantly reducing the level of effort and improving Y2038 assessment accuracy. AI coding assistants (also known as copilots) are already aware of Y2038 issues and can help identify and mitigate them in new code development.

To address Y2038, businesses can:

• Upgrade systems: Migrate from 32-bit to 64-bit architectures where possible. This eliminates the possibility of hardware limitations and eases addressing Y2038 in application software.
• Update software: Ensure applications handle time functions properly, even on 64-bit platforms, and update 32-bit systems and applications to handle the overflow.
• Mitigate risks: For embedded systems that cannot be upgraded easily, implement contingency plans to minimize disruptions and ensure continuity in case of failure.

Why Act Now?

With Y2038 less than 14 years away, time is running out to future-proof your systems. Although 2038 may seem distant, the time required to update or replace critical systems is lengthy, especially in industries where safety, regulatory compliance, and operational stability are paramount.

Many products and embedded systems in industries such as transportation, telecommunications, and industrial control have lifecycles that can easily span 20 to 30 years, meaning that systems currently being deployed could still be in operation in 2038. Failing to address Y2038 now could leave critical systems vulnerable well before the end of their expected life.

Consider that it may become increasingly difficult to find sufficient resources to address the issues as Y2038 approaches. This will be compounded by the fact that in many cases, the original engineers and developers will have moved on or retired, making it harder to identify and fix legacy systems without their expertise. This could lead to delays in identifying and fixing vulnerabilities, increasing both costs and risks.

Ideally, Y2038 certification/compliance for critical infrastructure should be mandated by governments since this would help to avoid widespread disruptions (e.g., by ensuring that critical systems are universally addressed). However, no such mandates currently exist. You can help by reaching out to your representatives, asking for the establishment of legislation requiring Y2038 certification for critical infrastructure.

Apart from legislative mandates, industry standard bodies such as 3GPP, the WiFi Alliance, and others can and should take responsibility for verifying that their particular industry standards are explicitly Y2038-compliant, and adding Y2038-compliance to their certification tests. This will establish the requirement for member companies to address the issues directly, at least for new products. If you participate in an industry standard organization, you can help by discussing Y2038 with organization colleagues and forming a Y2038-focused working group to review and modify your organization’s standards for Y2038-compliance.

As we approach 2038, the general public will gain increasing awareness of Y2038 and demand all consumer products be certified as Y2038-compliant. By that point, it could be too late for companies that have not begun preparations. Companies that begin preparing early will not only have the best chance of mitigating Y2038 in time but will also gain customer good will by proactively addressing the issues.

Take action now by forming a dedicated Y2038 team to assess and mitigate Y2038 risks. Also discuss the issue both internally and with your vendors and system providers. These actions can be your essential first steps in addressing this critical issue.

In summary, Y2038 is a looming crisis that could affect a surprising number of digital systems, even on modern 64-bit platforms. Y2038 should be taken seriously since it is literally an existential risk for many businesses. By preparing early, organizations can not only avoid the potentially catastrophic consequences of ignoring Y2038 but position themselves as market leaders in mitigating one of the most significant time-related issues of our era.

Have you started preparing for Y2038? What challenges have you encountered, and how are you addressing them? Share your strategies and insights in the comments.

About the Author

This article was written by John Lange, founder of Y2038.com which provides information and assistance with Y2038. Mr. Lange holds a BS in Electrical Engineering and an MS in Manufacturing Systems Engineering from The University of Texas at Austin.

Since the mid-’80s, he has designed, developed, and architected software, particularly for embedded systems and high performance computing, for companies including Radian Corp (now URS Corp and SWRI), Applied Materials, VMETRO/Curtiss Wright, Qualcomm, Trendium/JDSU/Viavi Solutions, and T-Mobile. He is a member of PMI and Scrum Alliance, is a Certified Scrum Master, and is active in the Zephyr Project community.

He became interested in time-related issues through his involvement in Y2K mitigation in the late ’90s. He realized that Y2038 would pose a more fundamental and widespread risk, and that most of the mitigation efforts for Y2K did not address Y2038. Mr. Lange launched Y2038.com in 2000.

He can be reached via LinkedIn or the Y2038 website at https://y2038.com/contact-us/.