Imagine: A mission to redirect an asteroid using a team of astronauts goes wrong, when a malicious device onboard the spacecraft interferes with its ability to dock with a robotic spacecraft — causing the crewed capsule to veer off course, spinning into space.
Such a mission is still in the planning stages, but the simulated attack demonstrates the danger of a recently discovered vulnerability in the networking protocol used for securely sharing critical messages in software for spacecraft, airplanes, and critical infrastructure. That’s according to researchers from the University of Michigan and NASA, who said the protocol, known as time-triggered ethernet (TTE), reduces the cost of implementing networks for critical infrastructure devices by allowing multiple devices to use the same network without affecting one another.
The vulnerability could be used to disrupt or cause failures in connected devices used in those highly sensitive applications. The researchers tested the attack in several experiments, ending with the simulation of an attack against NASA’s planned Asteroid Redirect Mission. The ARM aims to use “a robotic spacecraft to move an asteroid into a stable orbit around the Moon.” A crewed spacecraft, such as NASA’s Orion, would then “carry astronauts to the asteroid in order to study it, take samples, and return the samples to Earth,” the researchers stated in a paper published this week.
The experiments showed that it’s practical for a simple device using electromagnetic interference to break the isolation that is the cornerstone of the TTE protocol.
The attack demonstrates some of the security issues that have to be considered when implementing networks hosting both critical and non-critical devices — an increasingly common occurrence as the designers of critical systems try to reduce costs and increase efficiency. TTE networks allow critical, time-sensitive traffic to travel on the same network as less critical traffic, known as best-effort (BE) communications. The attack, dubbed PCSPOOF, uses specially crafted interference to corrupt parts of non-critical network packets, allowing malicious data to be injected into critical systems.
“We wanted to determine what the impact would be in a real system,” Baris Kasikci, an assistant professor of computer science and engineering at University of Michigan, said in a statement. “If someone executed this attack in a real spaceflight mission, what would the damage be?”
Critical Infrastructure Under Attack
The attack continues a trend of critical infrastructure and industrial control systems (ICS) being increasingly targeted by cyberattackers. The Cybersecurity and Infrastructure Security Agency (CISA) warned in September that advanced persistent threat (APT) actors had increased attacks against critical infrastructure, such as utilities and industrial targets.
Communications are a common point of entry. In April, CISA warned that attackers had created three malware tools that targeted the Open Platform Communications Unified Architecture (OPC UA), which allows sensors and other devices to exchange data with connected services and software.
Time-triggered networks are tightly synchronized using a global schedule that is loaded into the devices when the network is created, specifying when data frames are expected to be sent and received. The networks typically have low latency and jitter, measures of network delay and variability in bandwidth.
By identifying the IP address of another device on the network — the target — an attacker can determine the critical traffic marker through brute force. The networks allow devices on the same network to communicate with each other with the right critical traffic markers. Using the markers, an attacker could create a protocol control frame that holds data, a technique also known as packet-in-packet attack.
Exploits in Space
The disclosure comes as NASA launched its Artemis rocket after months of delays, the first step in its quest to put people back on the moon. With competition heating up in this second space race, attacks on spacecraft and robotic probes may not be out of the question: The PCSPOOF attack could certainly cause missions to fail in a catastrophic way, the researchers stated in the paper.
“We evaluated PCSPOOF on an avionics testbed for a real spaceflight mission,” the researchers said. “Our results show that PCSPOOF can threaten mission success and safety from a single BE device, such as those used in an onboard research experiment developed by a university.”
Modern TTE networks often do not verify parts of the data packets sent through local subnets, which makes PCSPOOF attacks more achievable. During an attack, researchers gathered information from the targeted TTE network to create a special packet, known as a protocol control frame (PCF), and then injected that frame into the network while creating electromagnetic interference to undermine the switch’s ability to control routing.
As far as defending against such an attack, organizations can replace any copper Ethernet cables with fiber optic, thus eliminating the impact of electromagnetic interference. In addition, the network could be modified to prevent malicious synchronization-control messages from accessing the same devices as legitimate messages.
So far, affected organizations have committed to making the changes, according to Andrew Loveless, a UM doctoral student in computer science and engineering, and subject matter expert at NASA’s Johnson Space Center. The researchers notified NASA, the European Space Agency, Northrop Grumman Space Systems, and Airbus Defense and Space — organizations which use TTE in critical systems.
“To our knowledge, there is not a current threat to anyone’s safety because of this attack,” Loveless says. “We have been very encouraged by the response we have seen from industry and government.”