A vulnerability in network technology widely used in space and aircraft could, if successfully exploited, have disastrous effects on those critical systems, according to academics.
That includes putting crewed NASA missions in peril – if someone were able to get into a position to pull off such an attack, natch. Abusing this flaw does require a number of steps and being able to intrude upon the critical system’s network, which may be non-trivial.
In a study published today, boffins at the University of Michigan in the US, with some help from NASA, detailed the flaw and a technique to exploit it, which they dubbed PCspooF. Exploiting PCspooF can cause critical systems on a network to malfunction by disrupting their timing.
To draw attention to the issue, the team used the US space agency’s hardware and software to simulate the now-abandoned Asteroid Redirection Mission, and focused on the point in the program when a manned Orion capsule was supposed to dock with a robotic spacecraft.
Spoiler alert: PCspooF caused this simulated Orion to veer off course, miss the dock entirely, and float away into fake space, putting the humans onboard in potential considerable danger.
The flaw exists in a technology called Time-Triggered Ethernet (TTE), which the study’s authors describe as the “network backbone” for spacecraft including NASA’s Orion crew capsule, its Lunar Gateway space station, and ESA’s Ariane 6 launcher. TTE is also used in aircraft and energy generation systems, and apparently is seen as a “leading contender” to potentially replace the standard Controller Area Network bus and FlexRay communications protocols, we’re told.
TTE allows critical, time-triggered (TT) network traffic — tightly synchronized, scheduled messages between important systems — to share the same switches and networks with non-critical traffic without disruption. The messages for the critical systems are allowed to get through and take effect.
Additionally, TTE is compatible with standard Ethernet, which is typically used by these non-critical systems. TTE isolates the time-triggered traffic from the so-called “best-effort” traffic: messages from non-critical systems are delivered around the more-important timed traffic. And this type of design, which blends critical and non-critical device traffic on a single network, allows mission-critical systems to run on lower-cost networking hardware while preventing the two types of traffic from meddling with each other.
Breaking the isolation barrier
PCspooF, according to the researchers, is the first-ever attack to break this isolation.
At a very high level, the attack works by disrupting a synchronization mechanism in TTE, or more specifically: its protocol control frames. These are the messages that keep critical devices running on a shared schedule and ensure they communicate as expected.
Disrupting these frames would require access to the network: think malware in a compromised non-critical device, or a malicious connected box of electronics. So an attacker would need to smuggle bad equipment onto a craft, slip malicious devices into the supply chain, or compromise a device already on the network.
The researchers determined that the non-critical equipment on the network can infer private information about the time-triggered part of the network. The devices can use this info to craft malicious synchronization messages to break the system. To get these phony messages transferred over the network, switches have to be tricked into doing so using electromagnetic interference.
“Normally, no device besides a network switch is allowed to send this message, so in order to get the switch to forward our malicious message, we conducted electromagnetic interference into it over an Ethernet cable,” explained Andrew Loveless, a U-M doctoral student in computer science and subject-matter expert at the NASA Johnson Space Center.
“Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly,” Loveless said.
A successful attack can cause TTE devices to lose synchronization for up to a second, thus failing to forward “tens” of time-triggered messages and causing critical systems to fail. “In the worst case, PCspooF causes these outcomes simultaneously for all TTE devices in the network,” the researchers wrote.
After successfully testing the attack in a simulated environment, the researchers disclosed the vulnerability to organizations using TTE including NASA, ESA, Northrop Grumman Space Systems, and Airbus Defense and Space. Based on the research, NASA is reconsidering how it onboards experiments and verifies commercial off-the-shelf hardware to ensure no one is exploiting this issue with malicious or compromised devices. ®