Time-Triggered Ethernet Exploited

The physical introduction of rogue devices is a serious concern for critical infrastructure.  These types of attacks are less frequent than those that use phishing, exploits on a company's public Internet-facing endpoints, etc.  However, they can be incredibly damaging and are often difficult to detect.  IdentiPHY provides the ability to automatically detect these attacks in a manner of seconds.  One such attack that is specifically damaging to critical infrastructure systems was recently published by researchers from the University of Michigan.  In this blog post, I'll briefly explain the attack and include in the description how IdentiPHY can help.

A recent paper, published in IEEE S&P, found vulnerabilities in Time-Triggered Ethernet (TTE) [1].  TTE provides the ability to isolate time-triggered (TT) traffic from more common best-effort (BE) traffic within the same switches and cabling.  TTE reduces message latencies to hundreds of microseconds and almost eliminates jitter [2], [3].  In this paradigm, TT devices communicate  on a tight, predetermined schedule and BE traffic fills in around the synchronous TT traffic.  The authors call their technique PCSPOOF and...

"[show] that successful attacks are possible in seconds, and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop tens of TT messages - both of which can result in the failure of critical systems like aircraft or automobiles."

The attack occurs in two stages.  First, a single BE device infers the common identifier used by TTE devices by sending phony ARP requests.  It tricks other BE devices into sending out messages with potential identifiers and determines which identifier gets dropped by the network.  BE devices are forbidden from sending messages with the TTE common identifier.  Therefore, the messages that are dropped contain the common identifier.  From this identifier, the attacker can craft valid TTE synchronization messages.

Now, the second phase of the attack requires generating electromagnetic interference (EMI) from the malicious BE device using a small, low-power circuit that could be injected into a device as a supply chain attack or custom-crafted by an attacker.  The EMI will result in packets that have lost their BE header but still contain a malicious synchronization message buried inside.  This is where IdentiPHY detects the attack.  The EMI will affect the malicious device's IdentiPHY-generated fingerprint, even if it was validly registered, and it will be flagged as unauthorized.

 [email protected]