Untrusted supply chains – an open door to cyberattacks
There’s never a good time to experience a cyberattack, but – given the option – having your feet on the ground when disaster strikes feels preferable to being up in the air. Sadly, airborne systems are vulnerable to network exploits, and that includes not just aircraft, but space technology too. Recently, computer scientists in the US have warned of a new threat to Time-Triggered Ethernet (TTE) – a networking technology widely used in critical infrastructures such as spacecraft, aircraft, energy generation systems, and industrial control systems. And their outer space cyberattack demo flags the dangers of untrusted supply chains.
To highlight the potential danger, the team used real NASA hardware to recreate a planned Asteroid Redirection Test. The demonstration focused on the point in the mission where a crewed capsule (simulated for the purposes of this test) was preparing to dock in space. Curious to see what the effect would be – under safe conditions on Earth – the researchers sent disruptive messages across the network.
“Once the attack is underway, the TTE devices will start sporadically losing synchronization and reconnecting repeatedly,” explained Andrew Loveless, a subject matter expert at the NASA Johnson Space Center and doctoral student in computer science and engineering at the University of Michigan, US. The result was bad news for the simulated space mission, which – following the attack – was sent off course. In real life, the consequences could be deadly for aircrews.
On paper, TTE is a great system as it allows critical time-triggered (TT) traffic and non-critical best-effort (BE) signals to share the same switches and cabling. And for aircraft, where weight carries a premium, TTE gives designers a route to maximizing the available payload. There are further benefits in terms of size, power, and cost-savings. Ordinarily, the TT and BE parts of the network are isolated and – in theory – have no way of interfering with each other. But, as the group showed, a vulnerability exists.
Injecting electrical noise into a TTE switch, through an Ethernet cable, can result in malicious synchronization messages being sent to TTE devices on the network. And during attacks, tens of legitimate TT messages can be dropped, which may result in the failure of critical systems. Timed correctly, electromagnetic interference (EMI) disrupts how messages are forwarded to the rest of the network and could cause devices to operate in unintended ways.
Dangers of untrusted supply chains
“The way an attacker can actually introduce such a malicious device into a network is if that device comes from an untrusted supply chain,” cautions Baris Kasikci, who led the work. “There are benefits in procuring equipment from untrusted supply chains because they are readily available; there’s no verification efforts, you don’t incur a lot of costs. But at the same time, you can be vulnerable in such settings.” Kasikci – a recipient of a Microsoft Research Faculty Fellowship, an Intel Rising Star Award, a VMware Early Career Faculty Grant, and a Google Faculty Award – wants people to do the right thing. And this demo warns of the potential dangers of untrusted supply chains.
By disclosing the TTE vulnerability to major companies using the technology ahead of making their findings public, the researchers have paved the way for developers to begin working on fixes. And this process of responsible vulnerability disclosure is a proven route for security researchers to help developers to eliminate issues and build stronger, safer, and more secure systems.
In the case of the TTE attack, all that’s required to generate the EMI is a relatively small device measuring just 2.5 cm square. “Such a circuit could reasonably be hidden in a BE device and integrated into a TTE system,” comment the researchers in their write-up of the TTE attack [PDF]. Another issue concerns the protocol itself. Modern devices do verify message contents, but they don’t check the length. And this was another stepping stone in building out the attack path.
Commercial-off-the-shelf (COTS) devices are vulnerable to tampering. In the absence of a formal development process to ensure safety and security, users have no guarantee that units haven’t been altered to include malicious circuits or software. System integrators will focus their testing on operational safety – for example, the ability of equipment to withstand vibration and temperature conditions associated with various missions. But given the dangers of untrusted supply chains, additional vulnerability scanning may need to be performed.
There are mitigations for the TTE vulnerability, but these may not prove to be popular. Aircraft and space missions prize reliability – and rightly so. But solutions such as opto-couplers or surge protection devices, which would prevent EMI from being introduced, add new points of failure themselves. “Another option is to use fiber-optic cables, which are incapable of conducting EMI into the switch,” writes the team. “However, such cables have several downsides compared to copper, including higher cost, worse durability, and decreased compatibility with commercial hardware.”
Cybersecurity choices certainly become more complex alongside the extreme design constraints of spaceflight. But if there’s one lesson to focus on, it’s to be aware of the potential dangers of untrusted supply chains.
26 May 2023
26 May 2023