This includes endangering manned NASA missions: if anyone were able to put themselves in a position to carry out such an attack, natch. Abuse of this flaw requires a series of steps and the ability to intrude on the critical system’s network, which may not be trivial.
In a study released today, researchers at the University of Michigan in the US, with help from NASA, detailed the flaw and a technique for exploiting it, which they dubbed PCspooF. Exploiting PCspooF can cause critical systems on a network to malfunction by disrupting their times.
To draw attention to the problem, the team used US space agency hardware and software to simulate the now-abandoned asteroid redirect mission and focused on the point in the program where a crewed Orion capsule would had to dock with a robotic spacecraft.
Spoiler alert: PCspooF caused this simulated Orion to veer off course, lose its dock entirely, and float away into false space, putting the humans aboard in potentially considerable danger.
The flaw exists in a technology called Time-Triggered Ethernet (TTE), which the study authors describe as the “backbone of the network” for spacecraft, including NASA’s Orion crew capsule, its Lunar Space Station Gateway and ESA’s Ariane 6 launcher. TTE is also used in aircraft and power generation systems, and is apparently seen as a “major competitor” to potentially replace the standard Controller Area Network bus and FlexRay communication protocols, we are told.
TTE allows critical, time-triggered (TT) network traffic (tightly synchronized scheduled messages between important systems) to share the same switches and networks with non-critical traffic without disruption. Messages for critical systems can pass and take effect.
Additionally, TTE is compatible with the Ethernet standard, typically used by these non-critical systems. TTE isolates time-triggered traffic from so-called “best-effort” traffic: Messages from non-critical systems are delivered around the most important timed traffic. And this type of design, which combines traffic from critical and non-critical devices on a single network, allows mission-critical systems to run on low-cost network hardware while preventing the two types of traffic from interfering with each other. with the other.
Break the isolation barrier
PCspooF, according to the researchers, is the first ever attack to break this isolation.
At a very high level, the attack works by disrupting a synchronization mechanism in TTE, or more specifically: its protocol control frames. These are the messages that keep critical devices running on a shared schedule and ensure they’re communicating as expected.
Interrupting these frames would require network access – think malware in a compromised non-critical device or a malicious connected electronics box. Therefore, an attacker would have to smuggle faulty equipment onto an aircraft, insert malicious devices into the supply chain, or compromise a device already on the network.
The researchers determined that non-critical equipment on the network can infer private information about the time-activated part of the network. Devices can use this information to create malicious sync messages to disrupt the system. To carry these bogus messages over the network, switches must be tricked into doing so using electromagnetic interference.
“Normally, no device other than a network switch is allowed to send this message, so to get the switch to forward our malicious message, we conducted electromagnetic interference on it via an Ethernet cable,” explained Andrew Loveless, a computer science and subject matter expert UM doctoral student at NASA’s Johnson Space Center.
“Once the attack is underway, TTE devices will begin to sporadically lose sync and reconnect repeatedly,” Loveless said.
A successful attack can cause TTE devices to go out of sync for up to a second, thus failing to forward “dozens” of time-triggered messages and causing critical systems to fail. “In the worst case, PCspooF causes these results simultaneously for all TTE devices in the network,” the researchers wrote.
After successfully testing the attack in a simulated environment, the researchers disclosed the vulnerability to organizations using TTE, including NASA, ESA, Northrop Grumman Space Systems and Airbus Defense and Space. Based on the research, NASA is reconsidering how it integrates experiments and tests off-the-shelf commercial hardware to ensure that no one is exploiting this issue with malicious or compromised devices. ®