Researchers break security guarantees of TTE networking used in spacecraft

By | November 15, 2022
People look inside an Orion spacecraft simulator, which is used to train for docking to the Gateway space station, at the Johnson Space Center's System Engineering Simulator facility in Houston.
Enlarge / People look inside an Orion spacecraft simulator, which is used to train for docking to the Gateway space station, at the Johnson Space Center’s System Engineering Simulator facility in Houston.
Getty Images

Wednesday’s scheduled launch by NASA of the Artemis I mission will be the first integrated test of the agency’s SLS rocket and Orion spacecraft, which have been in development for 16 years and are expected to usher in a new era of space exploration. The uncrewed mission will also be only the second time a network standard known as time-triggered Ethernet has been taken into space, with the first being Orion’s orbital test flight in 2014.

Time-triggered Ethernet (TTE) is an example of a mixed-criticality network, which is capable of routing traffic with differing levels of timing and different fault tolerance requirements over the same set of hardware. Until now, spacecraft generally relied on one network to transmit safety-critical or mission-critical messages and one or more completely segregated ones for carrying video conferencing and other types of less-critical traffic.

Illustration of how time-triggered Ethernet works.
Enlarge / Illustration of how time-triggered Ethernet works.

Engineers built a better mousetrap. The mice defeat it anyway

Orion is the first spacecraft to rely on a TTE network to route mixed-criticality traffic, whether, NASA says, it’s for vital systems like navigation and life support, file transfers that are critical for delivery but not timing, or non-critical tasks such as crew videoconferencing. TTE—which will also be used in NASA’s Lunar Gateway space station and the ESA’s Ariane 6 launcher—is crucial for reducing the size, weight, cost, and power requirements of modern spacecraft.

Example of TTE data flow in a spacecraft.
Enlarge / Example of TTE data flow in a spacecraft.

Safety-critical systems, like those for steering and engine control, often work only when network messages are sent and received at intervals as small as 40 to 50 milliseconds. Delayed or dropped messages can be catastrophic. The other end of the criticality spectrum contains messages sent by scientific instruments, which often come in the form of commercial off-the-shelf devices and are provided by universities or outside researchers with minimal safety review from NASA. While it’s 100 percent compatible with the Ethernet standard, TTE is also able to deliver messages that engineers normally reserve for special-purpose networks.

To prevent less-important messages from interfering with critical ones, TTE provides two key benefits not available in regular Ethernet. They are:

  • A time-triggered paradigm where all devices are tightly synchronized and send messages at a predetermined schedule. This can reduce latency to hundreds of microseconds and jitter to near zero.
  • Fault tolerance—TTE replicates the whole network into multiple planes and forwards messages across all planes at once. The TTE network onboard Gateway has three planes.

On Tuesday, researchers published findings that, for the first time, break TTE’s isolation guarantees. The result is PCspooF, an attack that allows a single non-critical device connected to a single plane to disrupt synchronization and communication between TTE devices on all planes. The attack works by exploiting a vulnerability in the TTE protocol. The work was completed by researchers at the University of Michigan, the University of Pennsylvania, and NASA’s Johnson Space Center.

“Our evaluation shows that successful attacks are possible in seconds and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop tens of TT messages—both of which can result in the failure of critical systems like aircraft or automobiles,” the researchers wrote. “We also show that, in a simulated spaceflight mission, PCspooF causes uncontrolled maneuvers that threaten safety and mission success.”

Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research into PCspooF was conducted.
Enlarge / Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research into PCspooF was conducted.

PCspooF can be built onto as little as a 2.5 cm×2.5 cm area of a single-layer printed circuit board and requires minimal power and network bandwidth, which allows a malicious device to blend in with all the other best-effort devices connected to the network. The researchers privately reported their findings to NASA and other big stakeholders in TTE. In an email, a NASA representative wrote, “NASA teams are aware of the findings from research on TTE and have taken proactive measures to ensure potential risks to spacecraft are appropriately mitigated.”

Source