Schneier on Security

This is a very high expense attack against a relatively sophisticated enemy. For less than $100 you can get an 80 / 20 passive splitter (80% of light continues undisturbed, 20% is for monitoring). These come for free with most protocol analysers too (at 50k per analyser you'd hope so :-). In this case you just cut the fibre near the middle (or disconnect if you can access the ODF) and reconnect it with the splitter in line. Done quickly at night most victims won't notice and even if they do they'll just be glad the system came up again. "Nobody"'s going to dig a working fibre out of the ground to try to find the cause of even a five minute outage.

so how many of these and other devices are already out there listening? and, as aze pointed out, how many of us out there are going to be checking the lines for them?

I wonder how easy it would be to detect the loss in light and potentially quality on the cable. I once talked to some guy doing installation of optical cable, and he indicated that the receivers might notice the drop in signal quality. Maybe someone knowledgeable can enlighten us here...

Old Old trick and easily countered by OTDR monitors or cladding mode continuity checking.

Serious attacks use evanescent couplers and in come cases phase conjugation to dodge the power drop, but if you send along/monitor the cladding modes it will still be very difficult to do an undetected tap.

Microbends are a naturally occuring problem in fiber networks and the bane of cabling w/ fibers. As a result most folks that can afford them have optical time delay reflectometry (OTDR) units ($4k on ebay) essentially one dimensional "RADAR" units. The microbend tap described will light up like a Christmas tree.

Basically this is the fiber equivalent of a script kiddie attack.

yes .. this "may" work for 1310 systems (common lan type) cable .. but for buried cables with multiple wavelengths and the loss budget tightly controlled, such a tap will be detected very quickly .. that is if anyone wants to.

Secondly it won't work for all the wavelengths .. that setup will get more elaborate.

Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it .. and that's not WEP.

First, everyone who points out that this is not quite as easy as it seems is correct. And, second, those pointing out that there are standard mechanisms to both prevent and detect this are also correct.

But there are also network managers out there planning a budget, and deciding that since "fiber is naturally secure" they can forego some of these expenses.

This item strikes me as important because of the economics - if the attack against one fiber is $1000, and the defense is an OTDR - per fiber - at $4000 (or cladding monitoring, which likely delivers at least a few false positive$) - then you need to realize that fiber is NOT a cheap security solution. It's a high bandwidth transport mechanism, and with all that data comes all that risk. Plan accordingly.

And although most of us likely don't face really well funded attackers -- http://www.wired.com/news/technology/0,1282,68894,00.html is a reminder of just how many barriers a well funded attacker can overcome.

With this attack you are causing loss in the fiber path by bending it to the point it loses its total internal reflective properties. Any microbend, caused by this attack or any other reason, can be picked up by an Optical Time Domain Reflectometer (OTDR).

Hard to snoop on fiber using any of the bending devices when the fiber is in a pressurized gas conduit. :-}

For lines that aren't physically securable, would it make sense to use weaker fibers that will break before being bent enough to leak light? There would be an increased risk of accidental or malicious breakage. More pliable fiber would have to be used at junctions and bends, and these would have to be physically secured. Added connections between pliable and frangible fibers would increase installation costs and might interfere with transmission.

Bruce, you are cryptographer. Not optical/electrical/mechanical/etc engineer. Why the hell are you talking about things you have no idea about?
"It's easy to eavesdrop on a copper cable" - depends, but not that simple as you might think.
"eavesdrop on a fiber optic cable: total hardware cost less than $1,000"
Total BS, as other pointed out already.

Well this is not totally off base. Granted it may cost you a little more than a grand but that all depends on what you lying around. This WILL work but there are a number of other factors to take into consideration. One, who’s on the fiber, 1 or 1000 users? I could overload the tap itself. Two, where are you applying the tap? Depending on where you are at you may not get anything (inside the wiring closet, back end of the switch, under the street, etc). Same is true for tapping copper. There are several defenses that may be employed to prevent this. Some have talked about using an OTDR but that is only good if you have a baseline and there are ways to defeat a TDR. I believe the point of this article is to make people, especially those who are into security arena, that these types of attacks do take place. Trust me, my RED TEAM, utilize these techniques.

@Yosi - To what one single narrow topic would you like us to confine your speech? English grammar?

"Well this is not totally off base."
Yes it is. I'm not question the mere possibility to eavesdrop on fiber. But cost of such attack will be match more $1000. Chances that that such action will break several other laws in-process (like digging in private area). Digging? Cutting cables? Jail time awaiting anyone caught in-action.
Costs of such operation will definitely prevail the cost of information intercepted.
You may protect your house with a gun; but you don't buy SAM.

Pigeon (----)Hole: grow up. It's obvious that Yosi's first language is not English. Cut him some slack.

Wow, fiber fan boys. Count me surprised.

For every measure, there is a counter measure. Each increment generally costs both sides. This very cheap method will attack the cheapest target, naturally the stakes can be moved up. It doesn't mean it is worthless, it just means it won't do *every* fiber cable. Why do so many have to take everything as absolute?

Thank you Paul for injecting a little common sense into this discussion.

How often have we heard that some technique is invincible? It is usually followed by some exploit being released into the wild. Given sufficient motivation and resources, anything can be breached.

That's all this says. If you disagree, kindly reread Bruce's books and blog.

I see comments suggesting the value of information pulled from a fiber this way will be less than the cost of doing it... I actually have a hard time coming up with any business networks that do NOT carry potentially very valuable information.

At the very least, a strategically placed network tap could provide enough information to assist an active network penetration.

Yosi: This blog is titled "Schneier on SECURITY". Bruce talks about all sorts of interesting things (including squid on Fridays...)

I for one, enjoy nearly all of it.

Ummmm, so what...?

Usually business networks (either owned or via a provider) slap on something like triple DES on the end points..

And consumers who use the internet pretty much assume that all their conversations are interceptable and thus use HTTPS (padlock sign here? ok...) or other ways (that are Good Enough) of securing Important communications

Not really bothered if someone sees that am reading/ commenting this blog...

The only difference between electrical and optical is the former can be done by induction, without breaking the protective sleeve.
The defenses (ensuring current/light is not lost) and attacks (taps etc.) are pretty much mirrored.
Oh, and fibre-splicing kits are expensive, but you can do it with a razorblade (or just a tight radius!), once you're the knack.
Things are for what they are for, nothing else.

Oh, and that's just passive monitoring.
For $10k, you can go active, and boost the signal transparaently - a bit like inserting a powered hub in the path :-)

Reference:

>Hard to snoop on fiber using any of the >bending devices when the fiber is in a >pressurized gas conduit. :-}

I know of places that do this. In clear conduit so you can physically see the cable and then you monitor for pressure drops.

Dale has it. And has since the mid-80s. People have been doing microbending since then, even using it for fiber-to-fiber coupling.

@sooth_sayer "Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it"

To whose SDH platform are you referring to, because neither Fujitsu, Cisco, nor Juniper just "have it" (in some places it can be shoe horned on on the IP layer, or done in-line externally, but this is hardly the intrinsic property you suggest it to be).

On the 802 front, .1ae is on the way, which will be interesting in this regard, though I'm not aware of shipping product.

Does anyone know how much attenuation a microfiber tap introduces? While certainly detectable, I'm wondering if it could be brought down to be within the margin of error on typical DOM optics.

Interesting... the devices that are shown on the TechRepublic site that lead one to believe that these are fiber optic taps, are indeed, test equipment that bends the fiber to detect the PRESENCE of signals, not to tap into the signal. I suspect that these are two quite different things... follow the link from TechRepublic to Network Integrity and you see once again, the picture of Optical Fiber Identifiers in a paragraph talking about tapping fiber..

Is tapping fiber "possible"?... I suspect so... but showing these pictures and intententionally misleading readers into beliving that there are fiber optic taps is poor journalism.

"possible"... but I also suspect very difficult and I wonder about the statement "For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run."

If fiber optic tapping is so common and easy, let's see some concrete examples, plans and diagrams. Or some documented examples other than the generic security charlatans that consistently say "somebody could"..

Hi guys. If this type of fiber tapping is possible how realistic/practical is it? In general? Say, I tapped into a DWDM fiber hosting 160 channels at 10Gbps each. The tap diagram on TechRepublic uses optical photo decoder, but that's not all I need to intercept the signal. How do I separate channels now? I have to have a demux equipment that costs tens of thousands of dollars. Let's say I overcame this problem and I am able to distinguish between all 160 different wavelengths. The article then suggests, "(3). The converter changes the light pulses to electrical information that is placed on an Ethernet cable attached to an attacker's laptop. The laptop, running sniffer software, provides the attacker with a view into the data traveling through the tapped fiber cable."
How do I achieve 1.6 Tbps throughput on a ethernet adapter of a laptop? Isn't gigabit ethernet all we have available for laptops nowadays? And where do I get enough CPU cycles from to sniff all that bandwidth flowing through my tap? (Not saying anything about wasting additional CPU cycles on decryption). And even if I achieve that where do I store all the TBytes of data that I am intercepting? Because I'll need to analyze the data I am looking at to make sense out of them. How do I do this while the data is in "flight"? All of this calls for CPU power and storage space costing millions of dollars. And even if I have all that money how do implement all this in a field setup? This method of tapping calls for some kind of permanent arrangement. And if that's true what are my chances of remaining undetected for a prolonged period of time?