In short: Researchers from the University of Michigan and NASA have discovered a critical security flaw in a network protocol used in aerospace, airline, power generation and industrial control infrastructure. The vulnerability resides in a system called Time-Triggered Ethernet (TTE).
Time-triggered Ethernet is a system that allows critical devices, like flight controllers, to run on the same network hardware as non-essential systems, like passenger Wi-Fi. The TTE protocol was born out of the need for cost effective and efficient ways to share network resources rather than having two entirely separate systems.
The protocol has worked well for over 10 years keeping the two types of traffic separate. However, researchers have developed an attack dubbed PCspooF that exploits a flaw in network switches. The team demonstrated the weakness using real NASA hardware configured to simulate a crewed asteroid redirection test. Moments before the docking procedure, the team sent disruptive messages to the pod’s system that caused a cascade of interrupts and sent the ship past its point of contact.
“We wanted to determine what the impact would be in a real system,” said Michigan assistant professor of computer science and engineering Baris Kasikci. “If someone carried out this attack on a real space mission, what would the damage be?”
Depending on the tests, the results could be catastrophic, resulting in a mad scramble to correct course in the best of scenarios or collisions with objects or other gear in the worst.
Time-triggered Ethernet switches decide traffic priority. Thus, when a system is competing with another for network time, the one whose status is critical takes priority.
To send fake synchronization messages, the team designed a machine that emulates network switches. However, the TTE protocol only accepts synchronization signals from network switches on the vulnerable device. So the team introduced electromagnetic interference (EMI) through the Ethernet cable to overcome this obstacle. EMI creates enough space in the security protocol to allow malicious signals to pass.
“Once the attack is underway, TTE devices will begin to sporadically lose synchronization and reconnect repeatedly,” said University of Michigan computer science and engineering doctoral student Andrew Loveless.
A constant stream of messages is not necessary to create chaotic results. Once a few signals are passed, the synchronization is completely “unbalanced” and goes wild while other critical commands are thrown into a queue or completely abandoned.
The research team suggests a few mitigation options. One would be to replace copper Ethernet wire with optical fiber or place isolators between switches and unreliable devices. However, this infrastructure overhaul could prove costly and present performance trade-offs. A cheaper method would be to change the layout of the network so that synchronization messages from a malicious source cannot take the same path as legitimate signals.
Last year, the researchers communicated their findings and suggested mitigations to device manufacturers and companies making and using TTE systems. They do not believe the vulnerability poses an immediate risk to everyday consumers and have not seen any attacks mimicking this vector in the wild.
“Everyone has been very receptive to the adoption of mitigations,” Loveless said. “To our knowledge, there is currently no threat to anyone’s safety from this attack. We have been very encouraged by the response we have seen from industry and government.”
Image credit: NASA/SpaceX