Security researchers foil NASA docking procedure with novel attack on Ethernet network

Cal Jeffrey

Posts: 3,725   +1,176
Staff member
In brief: Researchers at the University of Michigan and NASA have discovered a critical security flaw within a networking protocol used in aerospace, airline, energy generation, and industrial control infrastructures. The vulnerability lies in a system called "time-triggered Ethernet" (TTE).

Time-triggered Ethernet is a system that allows mission-critical devices, like flight controllers, to run on the same networking hardware as non-essential systems, like passenger WiFi. The TTE protocol came about because of the need for cost-effective and efficient ways to share network resources rather than having two entirely separate systems.

The protocol has worked fine for over 10 years in keeping the two types of traffic segregated. However, researchers developed an attack dubbed PCspooF that exploits a flaw in network switches. The team demonstrated the weakness using real NASA hardware set up to simulate a crewed asteroid-redirection test. A moment before the docking procedure, the team sent disruptive messages to the capsule's system that caused a cascade of interruptions and sent the vessel past its point of contact.

"We wanted to determine what the impact would be in a real system," said Michigan's Assistant Professor of Computer Science and Engineering Baris Kasikci. "If someone executed this attack in a real spaceflight mission, what would the damage be?"

According to the tests, the results could be catastrophic, resulting in a mad scramble to correct course in the best of scenarios or collisions with objects or other craft in the worst.

Time-triggered Ethernet switches decide traffic priority. So when one system competes with another for network time, the one with mission-critical status gets prioritized.

To send fake synchronization messages, the team devised a machine that emulates network switches. However, the TTE protocol only accepts synchronization signals from network switches on the vulnerable device. So the team introduced electromagnetic interference (EMI) through the Ethernet cable to overcome this hurdle. The EMI creates enough of a gap in the security protocol to allow malicious signals to get through.

"Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly," said University of Michigan computer science and engineering doctoral student Andrew Loveless.

A constant stream of messaging is not necessary to create chaotic results. Once a few signals get through, synchronization gets thrown completely "out of whack," and cascades as other mission-critical commands get thrown in a queue or dropped altogether.

There are a few mitigation options the research team suggests. One would be to swap out copper Ethernet wire with fiber optics or place isolators between switches and untrusted devices. However, this infrastructure overhaul could prove expensive and presents performance tradeoffs. A cheaper method would be to change the network layout so that synchronization messages from a malicious source cannot travel over the same path as legitimate signals.

Last year, the researchers communicated their findings and mitigation suggestions to device manufacturers and companies making and using TTE systems. They don't believe the vulnerability poses any immediate risk to everyday consumers and have not seen any attacks that mimic this vector in the wild.

"Everyone has been highly receptive about adopting mitigations," Loveless said. "To our knowledge, there is not a current threat to anyone's safety because of this attack. We have been very encouraged by the response we have seen from industry and government."

Image credit: NASA/Space X

Permalink to story.

 

psycros

Posts: 4,579   +6,901
"Time-triggered Ethernet switches decide traffic priority. So when one system competes with another for network time, the one with mission-critical status gets prioritized."

I'm confused. This has been a basic function of every enterprise-level network management service I've seen since forever, going back at least 20 years.
 

Aaron Jones

Posts: 45   +16
I'm confused. This has been a basic function of every enterprise-level network management service I've seen since forever, going back at least 20 years.

You're confused because you're mixing this up with layer 3 (IP) QoS, based on the IP header ToS/DSCP fields.

This is layer 2 (Ethernet) QoS, and so can be used for much more than IP and crucially without any routers.
 

Hodor

Posts: 436   +320
What kind of an ideeot shares a mission-critical network with the one used by passengers??

It's not like airliners or spaceships cost $1000 and you need to save those extra $50 on the network router. They charge so much, and then they save on critical components. They should be charged a fine so high that they never think of doing something like that again.