HOUSTON, WE HAVE A VULNERABILITY — Researchers break security guarantees of TTE networking used in spacecraft Used by NASA and many others, time-triggered Ethernet safety can be compromised.

Dan Goodin – Nov 15, 2022 4:00 pm UTC Enlarge / People look inside an Orion spacecraft simulator, which is used to train for docking to the Gateway space station, at the Johnson Space Center’s System Engineering Simulator facility in Houston.Getty Images reader comments 76 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit

Wednesday’s scheduled launch by NASA of the Artemis I mission will be the first integrated test of the agencys SLS rocket and Orion spacecraft, which have been in development for 16 years and are expected to usher in a new era of space exploration. The uncrewed mission will also be only the second time a network standard known as time-triggered Ethernet has been taken into space, with the first being Orion’s orbital test flight in 2014.

Time-triggered Ethernet (TTE) is an example of a mixed-criticality network, which is capable of routing traffic with differing levels of timing and different fault tolerance requirements over the same set of hardware. Until now, spacecraft generally relied on one network to transmit safety-critical or mission-critical messages and one or more completely segregated ones for carrying video conferencing and other types of less-critical traffic. Enlarge / Illustration of how time-triggered Ethernet works.TTTech Engineers built a better mousetrap. The mice defeat it anyway

Orion is the first spacecraft to rely on a TTE network to route mixed-criticality traffic, whether, NASA says, it’s for vital systems like navigation and life support, file transfers that are critical for delivery but not timing, or non-critical tasks such as crew videoconferencing. TTEwhich will also be used in NASAs Lunar Gateway space station and the ESAs Ariane 6 launcheris crucial for reducing the size, weight, cost, and power requirements of modern spacecraft. Enlarge / Example of TTE data flow in a spacecraft.NASA

Safety-critical systems, like those for steering and engine control, often work only when network messages are sent and received at intervals as small as 40 to 50 milliseconds. Delayed or dropped messages can be catastrophic. The other end of the criticality spectrum contains messages sent by scientific instruments, which often come in the form of commercial off-the-shelf devices and are provided by universities or outside researchers with minimal safety review from NASA. While its 100 percent compatible with the Ethernet standard, TTE is also able to deliver messages that engineers normally reserve for special-purpose networks. Advertisement

To prevent less-important messages from interfering with critical ones, TTE provides two key benefits not available in regular Ethernet. They are: A time-triggered paradigm where all devices are tightly synchronized and send messages at a predetermined schedule. This can reduce latency to hundreds of microseconds and jitter to near zero. Fault toleranceTTE replicates the whole network into multiple planes and forwards messages across all planes at once. The TTE network onboard Gateway has three planes. EnlargeTTTech

On Tuesday, researchers published findings that, for the first time, break TTEs isolation guarantees. The result is PCspooF, an attack that allows a single non-critical device connected to a single plane to disrupt synchronization and communication between TTE devices on all planes. The attack works by exploiting a vulnerability in the TTE protocol. The work was completed by researchers at the University of Michigan, the University of Pennsylvania, and NASA’s Johnson Space Center.

Our evaluation shows that successful attacks are possible in seconds and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop tens of TT messagesboth of which can result in the failure of critical systems like aircraft or automobiles, the researchers wrote. We also show that, in a simulated spaceflight mission, PCspooF causes uncontrolled maneuvers that threaten safety and mission success. Enlarge / Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research into PCspooF was conducted.NASA

PCspooF can be built onto as little as a 2.5 cm2.5 cm area of a single-layer printed circuit board and requires minimal power and network bandwidth, which allows a malicious device to blend in with all the other best-effort devices connected to the network. The researchers privately reported their findings to NASA and other big stakeholders in TTE. In an email, a NASA representative wrote, NASA teams are aware of the findings from research on TTE and have taken proactive measures to ensure potential risks to spacecraft are appropriately mitigated. Page: 1 2 3 Next → reader comments 76 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars