Researchers at the University of Michigan and NASA are warning of a major flaw in the TTE (Time-Triggered Ethernet) protocol, which is used in a wide range of critical infrastructure, including spacecraft, aircraft, energy generation systems, and industrial control systems.
TTE reduces cost and improves efficiency by allowing mission-critical devices (like flight controls) to leverage the same hardware as non-critical systems (like passenger Wi-Fi), while ensuring they don’t interfere with each other.
The researchers’ attack, PCspooF, breaks that isolation by transmitting fake synchronization messages.
Electromagnetic Interference
“Normally, no device besides a network switch is allowed to send this message, so in order to get the switch to forward our malicious message, we conducted electromagnetic interference into it over an Ethernet cable,” University of Michigan doctoral student and NASA Johnson Space Center subject matter expert Andrew Loveless explained in a statement.
The electromagnetic interference causes enough of a gap to allow the message to get through, after which the TTE devices start repeatedly losing synchronization and reconnecting.
“A single injection can cause TTE devices to lose synchronization for up to a second and fail to transmit tens of TT messages – both of which can cause the failure of critical systems,” the team noted in an IEEE research paper.
The researchers disclosed their findings to device manufacturers, and because of that cooperative effort, they said they are unaware of any immediate threats from the vulnerability.
Also read: SANS Outlines Critical Infrastructure Security Steps as Russia, U.S. Trade Cyberthreats
Sending a Spacecraft Off Course
To demonstrate the flaw, the researchers used a single malicious device to disrupt a simulated crewed capsule’s attempt to dock with a spacecraft, causing the capsule to veer off course and fail to dock.
“We wanted to determine what the impact would be in a real system,” said Baris Kasikci, Morris Wellman Faculty Development Assistant Professor of Computer Science and Engineering. “If someone executed this attack in a real spaceflight mission, what would the damage be?”
In a video detailing the findings, Kasikci said a malicious device like the one used in the demo could be introduced into a network through an untrusted supply chain.
“[T]here’s benefits in procuring equipment from untrusted supply chains because they’re readily available, there’s no verification effort, you don’t incur a lot of costs,” Kasikci said. “But at the same time you can be vulnerable in such settings.”
Effective Migitations
The good news is that there are several viable ways to mitigate the threat.
Fixes suggested by the researchers include replacing copper Ethernet with fiber optic cables, installing optical isolators between switches and untrusted devices, or changing the network layout so malicious synchronization messages can’t access the same path as legitimate ones.
“Some of these mitigations could be implemented very quickly and cheaply,” Kasikci said.
The researchers disclosed their findings to major organizations and device manufacturers last year, and Loveless said they’ve been receptive about the recommended mitigations.
“To our knowledge, there is not a current threat to anyone’s safety because of this attack,” he said. “We have been very encouraged by the response we have seen from industry and government.”
Read next: Critical Infrastructure Protection: Physical and Cyber Security Both Matter