Researchers break security guarantees of TTE networking used in spacecraft


Enlarge / People watch in an Orion spacecraft simulator, used to train for docking with the Gateway space station, at the Johnson Space Center’s System Engineering Simulator facility in Houston.

Getty Images

NASA’s planned Wednesday launch of the Artemis I mission will be the first integrated test of the agency’s SLS rocket and Orion spacecraft, which have been in development for 16 years and are expected to usher in a new era of space exploration. . The unmanned mission will also mark only the second time a networking standard known as time-triggered Ethernet has been taken into space, with the first being Orion’s orbital test flight in 2014.

Time-triggered Ethernet (TTE) is an example of a mixed-criticality network, capable of routing traffic with different levels of timing and different fault tolerance requirements over the same set of hardware. Until now, spacecraft have generally relied on a single network to transmit safety-critical or mission-critical messages and one or more completely separate networks for conducting videoconferencing and other forms of less critical traffic.

Illustration of how time-triggered Ethernet works.
Enlarge / Illustration of how time-triggered Ethernet works.


Engineers built a better mousetrap. The mice beat it anyway

Orion is the first spacecraft to rely on a TTE network to route mixed-critical traffic, whether it’s vital systems such as navigation and life support, file transfers critical to delivery but not timing, or noncritical, according to NASA. tasks such as crew video conferencing. TTE – which will also be used in NASA’s Lunar Gateway space station and ESA’s Ariane 6 launch vehicle – is crucial to reducing the size, weight, cost and power requirements of modern spacecraft.

Example of TTE data stream in a spacecraft.
Enlarge / Example of TTE data stream in a spacecraft.


Safety-critical systems, such as those for steering and motor control, often only work when network messages are sent and received at intervals of just 40 to 50 milliseconds. Delayed or dropped messages can be catastrophic. The other end of the criticality spectrum includes messages sent by scientific instruments, which often come in the form of commercial off-the-shelf devices and are provided by universities or outside researchers with minimal safety assessment by NASA. While 100 percent compatible with the Ethernet standard, TTE can also deliver messages that engineers normally reserve for special-purpose networks.

To prevent less important messages from interfering with critical messages, TTE offers two major advantages not available in normal Ethernet. They are:

  • A time-triggered paradigm where all devices are tightly synchronized and send messages on a predetermined schedule. This can reduce latency to hundreds of microseconds and jitter to near zero.
  • Fault tolerance: TTE replicates the entire network to multiple planes and forwards messages to all planes simultaneously. The TTE network on board the Gateway has three planes.


On Tuesday, researchers published findings that break TTE’s insulation guarantees for the first time. The result is PCspooF, an attack in which a single non-critical device attached to a single aircraft can disrupt synchronization and communication between TTE devices on all aircraft. The attack works by exploiting a vulnerability in the TTE protocol. The work was completed by researchers from the University of Michigan, the University of Pennsylvania and NASA’s Johnson Space Center.

“Our evaluation shows that successful attacks are possible within seconds and that each successful attack can cause TTE devices to lose sync for a second and drop dozens of TT messages, both of which can result in the failure of critical systems such as planes or cars. the researchers wrote. “We also show that PCspooF in a simulated spaceflight mission causes uncontrolled maneuvers that threaten the safety and success of the mission.”

Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research on PCspooF was conducted.
Enlarge / Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research on PCspooF was conducted.


PCspooF can be built on just an inch x 1 inch area of ​​a single-layer circuit board and requires minimal power and network bandwidth, allowing a malicious device to blend in with all other best-effort devices connected to the computer . network. The researchers reported their findings privately to NASA and other major stakeholders in TTE. In an email, a NASA representative wrote, “NASA teams are aware of the findings of investigations into TTE and have taken proactive steps to ensure that potential risks to spacecraft are appropriately mitigated.”

The Valley Voice
The Valley Voice
Christopher Brito is a social media producer and trending writer for The Valley Voice, with a focus on sports and stories related to race and culture.


Please enter your comment!
Please enter your name here

Share post:


More like this