A serious security weakness in a networking protocol used in aerospace, airline, energy generating, and industrial control infrastructures has been uncovered by researchers from the University of Michigan and NASA. The flaw is in a system known as “time-triggered Ethernet” (TTE).
Time-triggered Ethernet is a networking technology that allows mission-critical devices, such as flight controllers, to share networking hardware with non-essential systems, such as passenger WiFi. The TTE protocol arose from the necessity for cost-effective and efficient methods of sharing network resources rather than having two completely independent systems.
The protocol has worked fine for over 10 years in keeping the two types of traffic segregated. However, researchers developed an attack dubbed PCspooF that exploits a flaw in network switches. The team demonstrated the weakness using real NASA hardware set up to simulate a crewed asteroid-redirection test. A moment before the docking procedure, the team sent disruptive messages to the capsule’s system that caused a cascade of interruptions and sent the vessel past its point of contact.
“We wanted to determine what the impact would be in a real system,” said Michigan’s Assistant Professor of Computer Science and Engineering Baris Kasikci. “If someone executed this attack in a real spaceflight mission, what would the damage be?”
According to the tests, the results could be catastrophic, resulting in a mad scramble to correct course in the best of scenarios or collisions with objects or other craft in the worst.
Time-triggered Ethernet switches decide traffic priority. So when one system competes with another for network time, the one with mission-critical status gets prioritized.
To send fake synchronization messages, the team devised a machine that emulates network switches. However, the TTE protocol only accepts synchronization signals from network switches on the vulnerable device. So the team introduced electromagnetic interference (EMI) through the Ethernet cable to overcome this hurdle. The EMI creates enough of a gap in the security protocol to allow malicious signals to get through.
“Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly,” said University of Michigan computer science and engineering doctoral student Andrew Loveless.
A constant stream of messaging is not necessary to create chaotic results. Once a few signals get through, synchronization gets thrown completely “out of whack,” and cascades as other mission-critical commands get thrown in a queue or dropped altogether.
There are a few mitigation options the research team suggests. One would be to swap out copper Ethernet wire with fiber optics or place isolators between switches and untrusted devices. However, this infrastructure overhaul could prove expensive and presents performance tradeoffs. A cheaper method would be to change the network layout so that synchronization messages from a malicious source cannot travel over the same path as legitimate signals.
Last year, the researchers communicated their findings and mitigation suggestions to device manufacturers and companies making and using TTE systems. They don’t believe the vulnerability poses any immediate risk to everyday consumers and have not seen any attacks that mimic this vector in the wild.
“Everyone has been highly receptive about adopting mitigations,” Loveless said. “To our knowledge, there is not a current threat to anyone’s safety because of this attack. We have been very encouraged by the response we have seen from industry and government.”
Image credit: NASA/Space X