Time-triggered Ethernet is a solution that enables non-essential systems like passenger WiFi to share networking gear with mission-critical devices like flight controllers. Instead of having two completely different systems, a cost-effective and efficient solution to share network resources led to the development of the TTE protocol.
The protocol has successfully kept the two types of traffic apart for more than ten years. However, researchers created a PCspooF attack that takes use of a network switch vulnerability. Using actual NASA equipment built up to mimic a crewed asteroid-redirection test, the scientists showed the flaw.
The team interrupted the capsule’s system just as it was about to dock, causing a series of disturbances that forced the ship to pass its point of contact.
Computer science and engineering assistant professor Baris Kasikci at Michigan remarked, “We wanted to see what the impact would be in a genuine system.” What harm might be caused if this attack were carried out during a legitimate space mission?
According to the experiments, the outcomes might be disastrous, leading to collisions with objects or other craft in the worst-case scenario or a mad dash to correct course in the best-case scenario.
Ethernet switches that are time-triggered determine traffic priority. As a result, when two systems compete for network resources, the one with mission-critical status is given priority.
The team created a device that imitates network switches in order to transmit false synchronization messages. On the vulnerable device, network switches are the only sources of synchronization signals that the TTE protocol will accept. To get over this obstacle, the researchers added electromagnetic interference (EMI) through the Ethernet wire. The security protocol is sufficiently breached by the EMI to let malicious signals pass.
The TTE devices will start irregularly losing synchronization and reconnecting, according to Andrew Loveless, a doctorate student in computer science and engineering at the University of Michigan.
It is not required to communicate constantly in order to produce chaotic outcomes. Once a few signals get through, synchronization is entirely “out of whack,” which cascades into the delay or loss of other mission-critical directives.
The research team offers a few different mitigating strategies. One option would be to move from copper to fiber optic Ethernet wire or to use isolators to separate switches from insecure devices. However, there may be financial and performance costs associated with any infrastructure upgrade. Changing the network layout to prevent malicious synchronization messages from using the same path as legitimate signals would be a less expensive solution.
The manufacturers of devices and businesses that produce and use TTE systems were informed of the researchers’ results and mitigation recommendations last year. They don’t see any attacks using this vector in the wild, and they don’t think the vulnerability poses any imminent risk to regular users.
Everyone has been really open to adopting mitigations, according to Loveless. “As far as we are aware, this incident does not now pose a threat to anyone’s safety. The response we have seen from business and the government has been really encouraging.”