An Ethernet failure may have disabled the Orion spacecraft • The Register

A vulnerability in a network technology widely used in space and on airplanes, if successfully exploited, could have catastrophic effects on these critical systems, including thwarting NASA missions, the researchers said.

In a study released today, researchers from the University of Michigan and NASA detailed the attack, which they dubbed “PCspooF,” using NASA hardware and software components to simulate the asteroid redirection test at the point in the mission where the Orion capsule was supposed to dock with a robotic spacecraft.

Spoiler alert: PCspooF caused Orion to veer off course, completely missing the dock, and floating into (simulated) space.

The flaw resides in a technology called Time-Triggered Ethernet (TTE), which the study’s authors call the “network backbone” for spacecraft, including NASA’s Orion capsule, its Lunar Gateway space station, and ESA’s Ariane 6 launch vehicle. TTE is also used in aircraft and power generation systems and is considered a “leading contender” to replace the standard Controller Area Network bus and FlexRay communication protocols, we’re told.

TTE allows critical, timed-triggered (TT) network traffic – which are devices that send tightly synchronized, scheduled messages according to a predetermined schedule – to share the same switches with non-critical traffic, such as B. Passenger Wi-Fi on airplanes.

In addition, TTE is compatible with standard Ethernet typically used by these non-critical systems. TTE isolates scheduled traffic from so-called “best effort” traffic: non-critical systems that route their messages around the more important scheduled traffic. And this type of design, combining devices on a single network, allows mission-critical systems to run on less expensive network hardware while preventing the two types of traffic from interfering with each other.

Breaking through the isolation barrier

According to the researchers, PCspooF is the first attack ever to break through this isolation.

At a very high level, the attack works by disrupting the synchronization system known as Protocol Control Frame (PCF). These are the messages that keep devices running on a common schedule and ensure they communicate quickly.

The researchers found that the non-critical, best-effort devices can derive private information about the time-triggered portion of the network. The devices can then be used to create malicious sync messages.

Then the compromised best effort device can introduce electromagnetic interference into the switch and make it send the fake synchronization messages to other TTE devices.

“Normally, no device other than a network switch is allowed to send this message. To get the switch to pass our malicious message, we injected electromagnetic interference into it over an Ethernet cable,” explained Andrew Loveless, a UM PhD student in computer science and subject matter expert at NASA Johnson Space Center.

“Once the attack is underway, the TTE devices will sporadically lose sync and keep reconnecting,” Loveless said.

A successful attack can cause TTE devices to lose synchronization for up to a second, causing “tens” of timed messages to fail to be forwarded and critical systems to fail. “In the worst case, PCspooF causes these results simultaneously for all TTE devices in the network,” the researchers write.

After successfully testing the attack, researchers disclosed the vulnerability to organizations using TTE, including NASA, ESA, Northrop Grumman Space Systems, and Airbus Defense and Space. Based on the research, NASA is also rethinking how to bring experiments onboard and verify commercial off-the-shelf hardware. ®