Researchers at the University of Michigan and NASA have discovered a critical security flaw within a networking protocol used in aerospace, airline, energy generation, and industrial control infrastructures. The vulnerability lies in a system called “time-triggered Ethernet” (TTE).
Time-triggered Ethernet is a system that allows mission-critical devices, like flight controllers, to run on the same networking hardware as non-essential systems, like passenger WiFi. The TTE protocol came about because of the need for cost-effective and efficient ways to share network resources rather than having two entirely separate systems.
The protocol has worked fine for over 10 years in keeping the two types of traffic segregated. However, researchers developed an attack dubbed PCspooF that exploits a flaw in network switches. The team demonstrated the weakness using real NASA hardware set up to simulate a crewed asteroid-redirection test. A moment before the docking procedure, the team sent disruptive messages to the capsule’s system that caused a cascade of interruptions and sent the vessel past its point of contact.
“We wanted to determine what the impact would be in a real system,” said Michigan’s Assistant Professor of Computer Science and Engineering Baris Kasikci. “If someone executed this attack in a real spaceflight mission, what would the damage be?”
According to the tests, the results could be catastrophic, resulting in a mad scramble to correct course in the best of scenarios or collisions with objects or other craft in the worst.
Time-triggered Ethernet switches decide traffic priority. So when one system competes with another for network time, the one with mission-critical status gets prioritized.
To send fake synchronization messages, the team devised a machine that emulates network switches. However, the TTE protocol only accepts synchronization signals from network switches on the vulnerable device. So the team introduced electromagnetic interference (EMI) through the Ethernet cable to overcome this hurdle. The EMI creates enough of a gap in the security protocol to allow malicious signals to get through.
“Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly,” said University of Michigan computer science and engineering doctoral student Andrew Loveless.
A constant stream of messaging is not necessary to create chaotic results. Once a few signals get through, synchronization gets thrown completely “out of whack,” and cascades as other mission-critical commands get thrown in a queue or dropped altogether.
There are a few mitigation options the research team suggests. One would be to swap out copper Ethernet wire with fiber optics or place isolators between switches and untrusted devices. However, this infrastructure overhaul could prove expensive and presents performance tradeoffs. A cheaper method would be to change the network layout so that synchronization messages from a malicious source cannot travel over the same path as legitimate signals.
Last year, the researchers communicated their findings and mitigation suggestions to device manufacturers and companies making and using TTE systems. They don’t believe the vulnerability poses any immediate risk to everyday consumers and have not seen any attacks that mimic this vector in the wild.
“Everyone has been highly receptive about adopting mitigations,” Loveless said. “To our knowledge, there is not a current threat to anyone’s safety because of this attack. We have been very encouraged by the response we have seen from industry and government.”