Skip links

Time-Triggered Ethernet flaw could have crippled Orion spacecraft

A vulnerability in a networking technology widely used in space and aircraft could, if successfully exploited, have disastrous effects on these critical systems including thwarting NASA missions, according to researchers.

In a study published today, researchers at the University of Michigan and NASA detailed the attack, which they dubbed “PCspooF,” using NASA hardware and software components to simulate the Asteroid Redirection Test at the point in the mission when the Orion capsule was supposed to dock with a robotic spacecraft.

Spoiler alert: PCspooF caused Orion to veer off course, miss the dock entirely and float away into (simulated) space.

The flaw exists in a technology called Time-Triggered Ethernet (TTE), which the study’s authors describe as the “network backbone” for spacecraft including NASA’s Orion capsule, its Lunar Gateway space station and ESA’s Ariane 6 launcher. TTE is also used in aircraft and energy generation systems, and seen as a “leading contender” to replace the standard Controller Area Network bus and FlexRay communications protocols, we’re told.

TTE allows critical, time-triggered (TT) network traffic — these are devices sending tightly synchronized, scheduled messages according to a predetermined plan — to share the same switches with non-critical traffic, such as passenger Wi-Fi on airplanes.

Additionally, TTE is compatible with standard Ethernet, which is typically used by these non-critical systems. TTE isolates the time-triggered traffic from the so-called “best-effort” traffic: non-critical systems forwarding their messages around the more-important timed traffic. And this type of design, which blends devices on a single network, allows mission-critical systems to run on lower-cost networking hardware while preventing the two types of traffic from meddling with each other.

Breaking the isolation barrier

PCspooF, according to the researchers, is the first-ever attack to break this isolation. 

At a very high level, the attack works by disrupting the synchronization system, called a protocol control frame (PCF). These are the messages that keep devices running on a shared schedule and ensure they communicate quickly.

The researchers determined that the non-critical, best-effort devices can infer private information about the time-triggered part of the network. The devices can then be used to craft malicious synchronization messages. 

Then, the compromised best-effort device can conduct electromagnetic interference into the switch, tricking it into sending the phony synchronization messages to other TTE devices.  

“Normally, no device besides a network switch is allowed to send this message, so in order to get the switch to forward our malicious message, we conducted electromagnetic interference into it over an Ethernet cable,” explained Andrew Loveless, a U-M doctoral student in computer science and subject-matter expert at the NASA Johnson Space Center. 

“Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly,” Loveless said. 

A successful attack can cause TTE devices to lose synchronization for up to a second, thus failing to forward “tens” of time-triggered messages and causing critical systems to fail. “In the worst case, PCspooF causes these outcomes simultaneously for all TTE devices in the network,” the researchers wrote.

After successfully testing the attack, the researchers disclosed the vulnerability to organizations using TTE including NASA, ESA, Northrop Grumman Space Systems, and Airbus Defense and Space. Based on the research, NASA is also reconsidering how it onboards experiments and verifies commercial, off-the-shelf hardware. ®