Researchers break security guarantees of TTE network used in spacecraft

NASA’s scheduled launch of the Artemis I mission on Wednesday will be the first integrated test of the agency’s SLS rocket and Orion spacecraft, which have been in development for 16 years and are expected to usher in a new era of space exploration. The uncrewed mission will also only be the second time a networking standard known as time-triggered Ethernet has been flown into space, the first being Orion’s orbital test flight in 2014.

Time-triggered Ethernet (TTE) is an example of a mixed-criticality network, capable of carrying traffic with different levels of synchronization and different fault tolerance requirements on the same set of hardware. Until now, spacecraft have typically relied on one network to transmit safety or mission critical messages and one or more completely separate messages to carry video conferencing and other less critical types of traffic.

Engineers have built a better mousetrap. The mice beat him anyway

Orion is the first spacecraft to rely on a TTE network to carry mixed-criticality traffic, whether, according to NASA, for vital systems like navigation and life support, file transfers that are critical to delivery but not timing, or non-critical tasks such as crew video conferencing. The TTE, which will also be used in NASA’s Lunar Gateway space station and ESA’s Ariane 6 launch vehicle, is crucial for reducing the size, weight, cost and power requirements of modern spacecraft.

Safety-critical systems, such as those for steering and engine control, often only work when network messages are sent and received at intervals as short as 40 to 50 milliseconds. Delayed or dropped messages can be catastrophic. The other end of the criticality spectrum contains messages sent by scientific instruments, which often come in the form of off-the-shelf commercial devices and are provided by universities or outside researchers with a minimum safety review of The NASA. Although 100% compatible with the Ethernet standard, TTE is also capable of transmitting messages that engineers normally reserve for special-purpose networks.

To prevent less important messages from interfering with critical messages, TTE offers two key advantages that are not available in standard Ethernet. They are:

• A time-triggered paradigm where all devices are tightly synchronized and send messages on a predetermined schedule. This can reduce latency to hundreds of microseconds and jitter to near zero.
• Fault tolerance: TTE replicates the entire network across multiple planes and forwards messages across all planes at once. The TTE network on board the gateway has three planes.

On Tuesday, researchers released results that, for the first time, break TTE’s isolation guarantees. The result is PCspooF, an attack that allows a single non-critical device connected to a single plane to disrupt synchronization and communication between TTE devices on all planes. The attack works by exploiting a vulnerability in the TTE protocol. The work was carried out by researchers from the University of Michigan, University of Pennsylvania and NASA’s Johnson Space Center.

“Our assessment shows that successful attacks are possible within seconds and that each successful attack can cause TTE devices to lose synchronization for up to a second and delete dozens of TT messages, which can lead to the failure of critical systems like planes or automobiles. “, the researchers wrote. “We also show that, in a simulated spaceflight mission, PCspooF causes uncontrolled maneuvers that threaten mission safety and success.”

PCspooF can be built on as little as a 2.5 cm × 2.5 cm area of ​​a single-layer circuit board and requires minimal power and network bandwidth, allowing a malicious device to blend in in all other best-fit connected devices. network. The researchers privately reported their findings to NASA and other major TTE stakeholders. In an email, a NASA representative wrote: “NASA teams are aware of the results of the TTE research and have taken proactive steps to ensure that potential risks to spacecraft are appropriately mitigated”.