New Ethernet Cyberattack Crunches Critical Systems
Ethernet, like all communication networks, continues to get faster with the passing years. In recent years, a subset of ethernet networks, called Time-Triggered Ethernet (TTE), has emerged. TTE networks are built around precise signal timing, using redundant pathways and careful switching to ensure that information arrives precisely when it needs to. Since its introduction, TTE has found a home in flight-critical aircraft systems, NASA spacecraft, and power-generating wind turbines, to name a few.
The consequences for such systems of a TTE network falling out of sync would be understandably catastrophic. Now, researchers have described a first-of-its-kind attack, called PCspooF, that can do just that. The group will be presenting their work at the
IEEE Symposium on Security and Privacy conference in May 2023.
IEEE Spectrum spoke with Andrew Loveless and Baris Kasikci, two of the researchers who discovered the attack, about how PCspooF works, what it means for timing-sensitive networks, and some general ways in which the attack can be blocked. The following conversation has been lightly edited for clarity.
Lovess and Kasikci on:
Andrew Loveless: The commercial TTE technology used in practice today evolved from the academic “TT-Ethernet” project conducted at TU Wien in the early 2000s. The goal of the project was to take the concept of “time-triggered” communication used in earlier bus-based protocols like TTP/C and apply them to switched Ethernet. That way users got the benefits of both worlds—the determinism of time-triggered communication and the high data rates and widespread availability of Ethernet.
It’s hard to identify the first use of TTE for a mission critical system. One of the earliest seems to be by Sikorsky, which started working with TTE technology in 2008, and used it
in the S-97 RAIDER helicopter which first flew in 2015. As of 2009, there were also articles published reporting that NASA and Lockheed Martin were using TTE for the Orion Crew Exploration Vehicle, which was originally part of the Constellation Program and is now being used for Artemis. Vestas seemingly started working with TTE for wind turbine control applications around 2010 and has since used TTE in deployed turbines.
Today, TTE is used in a range of mission-critical and safety-critical systems and vehicles.
How do these TTE networks differ from the kinds of “best effort” networks that people are likely more familiar with?
Loveless: For context, there is a push in industry right now for large embedded and cyber-physical systems to adopt mixed-criticality networks. This means that instead of using separate networks and buses for non-critical devices and critical devices, there is a push to have one network that both critical and non-critical devices can share. This approach has a lot of benefits, including lower size, weight, and power—in general there are fewer cables and switches—and lower development time and costs, because engineers can focus on using just one technology.
Time-Triggered Ethernet (TTE) is one networking technology that is a part of this trend. Some others include
Time Sensitive Networking, SpaceWire and SpaceFibre, RapidIO, AFDX, and more. TTE has multiple different traffic classes that are used over the same network. The traffic class with the highest criticality and priority is “time-triggered,” which means that the traffic is exactly pre-scheduled ahead of time to have specific timing properties—for example, to avoid contention in the switch and guarantee a certain worst-case latency and jitter—and is sent simultaneously over redundant network paths. That way the designer can be sure their messages are guaranteed to arrive at the destination successfully and on time. So the TTE technology has this time-triggered traffic class, which is also commonly referred to as TTE.
In addition, TTE technology supports a “best effort” traffic class, which just means that the traffic follows the rules of standard Ethernet. So here the traffic is not redundant, and is not scheduled in time to have certain timing properties. The traffic is referred to as best effort because the TTE network does not provide any guarantees for it—it simply forwards best effort traffic when possible between the critical TTE messages. Best effort traffic is primarily used for allowing non-critical COTS devices to share the TTE network with the critical systems.
You mentioned the industry push for mixed-criticality networks and the benefits they bring (in cost, development time, energy consumption, and so on). It seems that in an ideal world, TTE networks wouldn’t share infrastructure with best effort traffic. Is it as simple as that’s just not practical to do in most cases?
Loveless: Lots of COTS devices do not have the ability to generate Time-Triggered traffic. So, if one wants to include COTS devices in their system, they generally need to support standard (best-effort) Ethernet. In that case, I think the ideal is to have one network that provides perfect isolation between TT and BE traffic flows and allows all TT traffic to meet their timing requirements. In other words, that single network provides the illusion that each TT traffic flow is being carried over a private point-to-point channel from the sender to the receivers. That way, one gets all the safety and security benefits of having completely isolated networks, while only having the cost of a single network.
Loveless: PCspooF is a new attack on TTE networks. It allows a single Ethernet device, such as a best effort device, with a small amount of malicious circuitry to tear down synchronization of the TTE network for a small amount of time. While this happens, it prevents the critical TTE devices from being able to communicate. [As a result], messages that were sent get dropped. The duration of this effect after each successful attack is around one-half second to one full second.
Importantly, the attack allows the attacker to tear down synchronization on all redundant TTE network planes, even if the attacker is only connected to one of the planes. Also, the attack can be successfully repeated at a high rate (as often as every 10 to 15 seconds).
You mentioned PCspooF is a new attack. Is it also accurate that it’s the first attack to exploit TTE networks?
Loveless: Yes. To our knowledge, PCspooF is the first attack to compromise any of TTE’s guarantees.
So how does PCspooF work? What vulnerability or flaw is it exploiting?
Loveless: There are two main vulnerabilities that PCspooF exploits. The first is a vulnerability in Ethernet itself, which is that if an Ethernet switch experiences a sudden reset while a frame is in the middle of being forwarded, the front of that frame can be cut off, and the remainder of the frame will still be sent. PCspooF uses electromagnetic interference to cause this to happen in TTE switches. The attacker stores a malicious message inside a benign frame, sends the frame, then conducts EMI into the switch. The switch then strips the header off the frame and reveals the malicious frame. This mechanism allows the attacker to send a malicious frame that they otherwise should not be allowed to send.
The second vulnerability PCspooF exploits is in the TTE synchronization protocol, which was standardized in
SAE AS6802. In that protocol, there is an important step where a select number of switches, called compression masters, send a special synchronization message called a protocol control frame to the TTE end nodes, which they use to correct their clocks. If the contents of this messages are malicious, it will cause the TTE devices to lose sync. This is exactly what PCspooF does—it uses the above electromagnetic interference mechanism to spoof this specific protocol control frame (PCF) in order to cause devices to lose sync. Hence the name PCspooF.
How did you discover PCspooF? Was it through practical experimentation, theoretical work and verification, or some other method?
Loveless: From studying the SAE AS6802 standard, we determined that the right protocol control frame from a switch could temporarily disrupt sync. From there, the main challenge was to determine how to get that frame into the network—which we determined through practical experimentation and by building on top of related work on packet-in-packet attacks.
One example you give of how PCspooF can lead to a catastrophic outcome is through simulations you ran modeled after NASA’s (now-shelved) Asteroid Redirect Mission, which would have aimed to move an asteroid into lunar orbit so that astronauts could pay it a visit. How did PCspooF impact the simulations?
Baris Kasikci: We tested our attack at NASA Johnson Space Center on a testbed with several real TTE switches and end systems. That gave us good information about how difficult it is to actually perform the attack and what the impact is on the network itself. However, we also wanted to determine what the impact would be in a real system. For example, if someone executed this attack during a real spaceflight mission, what would the damage be?
For this purpose, we set up a NASA simulation in the testbed, where a representative capsule was flying into space to dock with another spacecraft. We ran the mission multiple times successfully to get a feel for the expected behavior. Then we hooked up a small malicious device to one of the TTE switches to execute the attack while the mission was in progress. What happened is that as the mission progressed, the PCspooF attack repeatedly caused multiple message drops and late message arrivals, which caused the spacecraft to navigate off course. So rather than going up and docking with the other spacecraft, the capsule actually came in at the wrong angle and flew right past it. So we were able to show that the attack has a significant effect on a “real” system (as real as we could get) running real TTE hardware.
The ANVIL at the NASA Johnson Space Center.NASA
Kasikci: We identified several different mitigations that are effective against our attack. In general, they fit into two basic categories. The first category is to block a device from conducting electromagnetic interference into your TTE switch. So one way someone could do that would be using fiber Ethernet cables instead of copper, since fiber cannot conduct an electrical signal. Another option would be to use some sort of optical isolator on the cable between your untrusted device and the switch.
Another option is to make it so that, even if the attacker does inject electromagnetic interference into the switch and causes this malicious protocol control frame (PCF) to go out, the system won’t be affected by it. You can do this by altering the topology of your network, so that the spoofed PCFs never follow the same path as legitimate PCFs. That way, devices can always tell that spoofed PCFs are not legitimate and drop them. Both of these are things designers can do today to protect themselves from this attack.