9 comments

[ 3.9 ms ] story [ 45.2 ms ] thread
This title feels at least somewhat clickbait.

A less clickbait title would be: "Researchers discover that, with physical access, they can disrupt TTEthernet synchronization".

"Ethernet" in the title does not refer to normal ethernet devices, but rather TTEthernet.

"Cyberattack" to me implies the attack doesn't require physical access, but this attack does require physical access to a switch on the network, and how they've implemented it requires installing a persistent powered device on the hardware.

"Crunches Critical Systems" to me implies it's actually been exploited in the wild. This has not been.

The article implies this attack could be deployed against airplanes, space ships, and wind turbines. From my understanding of this attack, I would recommend protecting from it in the same way you currently protect against the attack of "someone DoSd us by walking up and unplugging the ethernet cable", which is to say a combination of closed panel doors, "do not touch" signs, and, if you must, a physical lock.

Why would "cyberattack" imply non-physical access? Cybersecurity has always had physical components to it. Would you consider an attack using a rubber ducky a cyberattack?
The killer feature of cyberattack is that it exposes you to a global market of criminals. If physical access is required, that presumably cuts back on the market size.

In the age of significant ecosystems for stealing devices from network stores to conduct SIM-swaps, complete with intermediate stooges paid to protect the anonymity of higher-ups, it's fair to point out that this split is less clear-cut. Much like network exploitation required mass-market standardization, maybe you could argue that breaking physical security for critical systems isn't quite at that point. On the other hand, if it turns out that everyone follows the same 10-step guide to legal compliance for physical security, we might end up with standardized attacks against that security.

I was purely responding to the notion that "cyberattack" as a term implies something exclusively non-physical, since it has been used many, many times to refer to techniques that require physical access to the system that is being attacked.
This kind of disparate interpretation is why I still prefer the term information security (and related, information assurance).

It’s much more unambiguously inclusive, and still perfectly descriptive of the field and practice.

I'm sympathetic to that idea on first glance. Would you consider Stuxnet a cyber attack, though? I think I instinctively would, despite liking your description, yet it required USB drive placement.
Actual paper @ https://web.eecs.umich.edu/~barisk/public/pcspoof.pdf about https://en.wikipedia.org/wiki/TTEthernet

Deliberate link-layer electrical misbehavior. Provides only a short window of disruption - far less than cable integrity or other physical attacks would provide, which require similar access.

Superior protection against this class of attack would be: (1) Redundant physical routes between critical systems with independent routers/middleware infrastructure. This is literally the intended use case for IP. However, it does not match the real time expectations people are now heaping on local IP networks in these faux-real-time segments. (2) TTE-based software systems encompassing untimely multi-frame synchronization loss as a standard class of edge-case to consider.

The root cause of the problem could be said to be novel expectations for special case performance being heaped upon infrastructure designed for a more general and certainly differing use case. In aggregate it performed very well regardless. Interesting that we are today building spacecraft based on 50 year old link-layer technology.

Wouldn't moving away from copper (or at least using shielded wiring) also provide significant protection? The attack relies on electromagnetic interference being able to obfuscate a packet header.
Yes, that's one of the mitigations mentioned in the article:

> Kasikci: We identified several different mitigations that are effective against our attack. In general, they fit into two basic categories. The first category is to block a device from conducting electromagnetic interference into your TTE switch. [...] Another option is to make it so that, even if the attacker does inject electromagnetic interference into the switch and causes this malicious protocol control frame (PCF) to go out, the system won’t be affected by it. You can do this by altering the topology of your network, so that the spoofed PCFs never follow the same path as legitimate PCFs.