Researchers have uncovered a major vulnerability in a network technology commonly used in critical infrastructures such as spacecraft, aircraft, power generation systems and industrial control systems.
The attack is the coexistence of mission-critical devices (such as flight controls and life support systems) and less important devices (passenger WiFi or data collection) on the same network hardware. This mix of devices on a single network emerged as part of many industries’ efforts to reduce network costs and increase efficiency.
This union has been considered secure for over a decade, based on a design that prevents the two types of network traffic from interfering with each other. The team’s attack, called PCspooF, was the first of its kind to break this isolation.
In an impressive demonstration, the team used real NASA hardware to recreate a planned Asteroid Redirection Test. The experimental setup was controlling a simulated crewed capsule, particularly at the point on the mission where the capsule was preparing to dock with a robotic spacecraft.
“We wanted to determine what the impact would be in a real system,” says Barış Khashoggi, assistant professor of computer science and engineering at the University of Michigan. “What would be the harm if someone carried out this attack on a real spaceflight mission?”
The team managed to seamlessly send devastating messages to the system with a small malicious device, creating a cascading effect that caused the capsule to deviate from its course and completely lose its dock.
Here’s how it works: The attack impersonates network switches, which are high-risk traffic controllers on TTE networks, by sending fake sync messages. These messages normally allow network devices to operate on a shared schedule, allowing the most important devices to communicate quickly.
“Normally, no device other than the network switch is allowed to send this message, so we applied electromagnetic interference to the switch over an Ethernet cable to get the switch to deliver our malicious message,” says computer science doctoral student Andrew Loveless. and engineering at the University of Michigan and subject matter expert at NASA Johnson Space Center.
This attempt acts as an envelope for the fake sync message. The noise causes enough gap in normal operation of the switch to allow the message to pass. An easily cloaked piece of circuitry in a malicious device connected to the network via Ethernet can inject these messages as many times as needed to screw things up.
“Once the attack starts, TTE devices will start to lose sync and reconnect from time to time,” Loveless says.
This interruption will gradually cause time-sensitive messages to drop or delay, causing systems to operate in an unpredictable and sometimes catastrophic manner. However, the researchers also explain how to prevent this attack.
Replacing copper Ethernet with fiber optic cables or installing optical isolators between switches and untrusted devices will eliminate the risk of electromagnetic interference, although it comes with cost and performance tradeoffs. Other options include changes to the network layout so malicious sync messages can never access the path used by legitimate ones.
“Some of these mitigation measures can be implemented very quickly and cheaply,” Khashoggi says.
The team explained their findings and presented mitigation recommendations to large companies and organizations and device manufacturers using TTE in 2021. An article about their work is available in the minutes of the 2023 IEEE Security and Privacy Symposium.
“Everyone has been pretty receptive to adopting mitigation measures,” Loveless says. “To our knowledge, there is no current threat to anyone’s safety due to this attack. We were very encouraged by the response we saw from industry and government.”
The study received support from the National Science Foundation.
Source: Zachary Champion for University of Michigan