Comments

aze September 25, 2007 7:58 AM

This is a very high expense attack against a relatively sophisticated enemy. For less than $100 you can get an 80 / 20 passive splitter (80% of light continues undisturbed, 20% is for monitoring). These come for free with most protocol analysers too (at 50k per analyser you’d hope so :-). In this case you just cut the fibre near the middle (or disconnect if you can access the ODF) and reconnect it with the splitter in line. Done quickly at night most victims won’t notice and even if they do they’ll just be glad the system came up again. “Nobody”‘s going to dig a working fibre out of the ground to try to find the cause of even a five minute outage.

winter September 25, 2007 8:06 AM

so how many of these and other devices are already out there listening? and, as aze pointed out, how many of us out there are going to be checking the lines for them?

uk September 25, 2007 8:12 AM

I wonder how easy it would be to detect the loss in light and potentially quality on the cable. I once talked to some guy doing installation of optical cable, and he indicated that the receivers might notice the drop in signal quality. Maybe someone knowledgeable can enlighten us here…

monopole September 25, 2007 8:31 AM

Serious attacks use evanescent couplers and in come cases phase conjugation to dodge the power drop, but if you send along/monitor the cladding modes it will still be very difficult to do an undetected tap.

Microbends are a naturally occuring problem in fiber networks and the bane of cabling w/ fibers. As a result most folks that can afford them have optical time delay reflectometry (OTDR) units ($4k on ebay) essentially one dimensional “RADAR” units. The microbend tap described will light up like a Christmas tree.

Basically this is the fiber equivalent of a script kiddie attack.

sooth_sayer September 25, 2007 8:36 AM

yes .. this “may” work for 1310 systems (common lan type) cable .. but for buried cables with multiple wavelengths and the loss budget tightly controlled, such a tap will be detected very quickly .. that is if anyone wants to.

Secondly it won’t work for all the wavelengths .. that setup will get more elaborate.

Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it .. and that’s not WEP.

Chris S September 25, 2007 9:10 AM

First, everyone who points out that this is not quite as easy as it seems is correct. And, second, those pointing out that there are standard mechanisms to both prevent and detect this are also correct.

But there are also network managers out there planning a budget, and deciding that since “fiber is naturally secure” they can forego some of these expenses.

This item strikes me as important because of the economics – if the attack against one fiber is $1000, and the defense is an OTDR – per fiber – at $4000 (or cladding monitoring, which likely delivers at least a few false positive$) – then you need to realize that fiber is NOT a cheap security solution. It’s a high bandwidth transport mechanism, and with all that data comes all that risk. Plan accordingly.

And although most of us likely don’t face really well funded attackers — http://www.wired.com/news/technology/0,1282,68894,00.html is a reminder of just how many barriers a well funded attacker can overcome.

Chris J September 25, 2007 9:34 AM

With this attack you are causing loss in the fiber path by bending it to the point it loses its total internal reflective properties. Any microbend, caused by this attack or any other reason, can be picked up by an Optical Time Domain Reflectometer (OTDR).

j September 25, 2007 9:38 AM

Hard to snoop on fiber using any of the bending devices when the fiber is in a pressurized gas conduit. :-}

Nick September 25, 2007 10:54 AM

For lines that aren’t physically securable, would it make sense to use weaker fibers that will break before being bent enough to leak light? There would be an increased risk of accidental or malicious breakage. More pliable fiber would have to be used at junctions and bends, and these would have to be physically secured. Added connections between pliable and frangible fibers would increase installation costs and might interfere with transmission.

Yosi September 25, 2007 11:27 AM

Bruce, you are cryptographer. Not optical/electrical/mechanical/etc engineer. Why the hell are you talking about things you have no idea about?
“It’s easy to eavesdrop on a copper cable” – depends, but not that simple as you might think.
“eavesdrop on a fiber optic cable: total hardware cost less than $1,000”
Total BS, as other pointed out already.

electric_cissp September 25, 2007 11:46 AM

Well this is not totally off base. Granted it may cost you a little more than a grand but that all depends on what you lying around. This WILL work but there are a number of other factors to take into consideration. One, who’s on the fiber, 1 or 1000 users? I could overload the tap itself. Two, where are you applying the tap? Depending on where you are at you may not get anything (inside the wiring closet, back end of the switch, under the street, etc). Same is true for tapping copper. There are several defenses that may be employed to prevent this. Some have talked about using an OTDR but that is only good if you have a baseline and there are ways to defeat a TDR. I believe the point of this article is to make people, especially those who are into security arena, that these types of attacks do take place. Trust me, my RED TEAM, utilize these techniques.

Pigeon Hole September 25, 2007 11:50 AM

@Yosi – To what one single narrow topic would you like us to confine your speech? English grammar?

Yosi September 25, 2007 11:55 AM

“Well this is not totally off base.”
Yes it is. I’m not question the mere possibility to eavesdrop on fiber. But cost of such attack will be match more $1000. Chances that that such action will break several other laws in-process (like digging in private area). Digging? Cutting cables? Jail time awaiting anyone caught in-action.
Costs of such operation will definitely prevail the cost of information intercepted.
You may protect your house with a gun; but you don’t buy SAM.

Jakes September 25, 2007 12:55 PM

Pigeon (—-)Hole: grow up. It’s obvious that Yosi’s first language is not English. Cut him some slack.

Paul Kierstead September 25, 2007 2:55 PM

Wow, fiber fan boys. Count me surprised.

For every measure, there is a counter measure. Each increment generally costs both sides. This very cheap method will attack the cheapest target, naturally the stakes can be moved up. It doesn’t mean it is worthless, it just means it won’t do every fiber cable. Why do so many have to take everything as absolute?

Not That Anon September 25, 2007 3:05 PM

Thank you Paul for injecting a little common sense into this discussion.

How often have we heard that some technique is invincible? It is usually followed by some exploit being released into the wild. Given sufficient motivation and resources, anything can be breached.

That’s all this says. If you disagree, kindly reread Bruce’s books and blog.

Eirik Seim September 25, 2007 5:58 PM

I see comments suggesting the value of information pulled from a fiber this way will be less than the cost of doing it… I actually have a hard time coming up with any business networks that do NOT carry potentially very valuable information.

At the very least, a strategically placed network tap could provide enough information to assist an active network penetration.

Tom September 26, 2007 12:51 AM

Yosi: This blog is titled “Schneier on SECURITY”. Bruce talks about all sorts of interesting things (including squid on Fridays…)

I for one, enjoy nearly all of it.

Anonymous Coward September 26, 2007 1:27 AM

Ummmm, so what…?

Usually business networks (either owned or via a provider) slap on something like triple DES on the end points..

And consumers who use the internet pretty much assume that all their conversations are interceptable and thus use HTTPS (padlock sign here? ok…) or other ways (that are Good Enough) of securing Important communications

Not really bothered if someone sees that am reading/ commenting this blog…

Dom De Vitto September 26, 2007 2:26 AM

The only difference between electrical and optical is the former can be done by induction, without breaking the protective sleeve.
The defenses (ensuring current/light is not lost) and attacks (taps etc.) are pretty much mirrored.
Oh, and fibre-splicing kits are expensive, but you can do it with a razorblade (or just a tight radius!), once you’re the knack.
Things are for what they are for, nothing else.

Dom De Vitto September 26, 2007 2:30 AM

Oh, and that’s just passive monitoring.
For $10k, you can go active, and boost the signal transparaently – a bit like inserting a powered hub in the path 🙂

Dale September 26, 2007 4:45 AM

Reference:

Hard to snoop on fiber using any of the >bending devices when the fiber is in a >pressurized gas conduit. :-}

I know of places that do this. In clear conduit so you can physically see the cable and then you monitor for pressure drops.

paul September 26, 2007 1:47 PM

Dale has it. And has since the mid-80s. People have been doing microbending since then, even using it for fiber-to-fiber coupling.

kg September 26, 2007 5:08 PM

@sooth_sayer “Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it”

To whose SDH platform are you referring to, because neither Fujitsu, Cisco, nor Juniper just “have it” (in some places it can be shoe horned on on the IP layer, or done in-line externally, but this is hardly the intrinsic property you suggest it to be).

On the 802 front, .1ae is on the way, which will be interesting in this regard, though I’m not aware of shipping product.

Does anyone know how much attenuation a microfiber tap introduces? While certainly detectable, I’m wondering if it could be brought down to be within the margin of error on typical DOM optics.

BillF September 29, 2007 10:40 PM

Interesting… the devices that are shown on the TechRepublic site that lead one to believe that these are fiber optic taps, are indeed, test equipment that bends the fiber to detect the PRESENCE of signals, not to tap into the signal. I suspect that these are two quite different things… follow the link from TechRepublic to Network Integrity and you see once again, the picture of Optical Fiber Identifiers in a paragraph talking about tapping fiber..

Is tapping fiber “possible”?… I suspect so… but showing these pictures and intententionally misleading readers into beliving that there are fiber optic taps is poor journalism.

“possible”… but I also suspect very difficult and I wonder about the statement “For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run.”

If fiber optic tapping is so common and easy, let’s see some concrete examples, plans and diagrams. Or some documented examples other than the generic security charlatans that consistently say “somebody could”..

Leo June 5, 2008 5:27 PM

Hi guys. If this type of fiber tapping is possible how realistic/practical is it? In general? Say, I tapped into a DWDM fiber hosting 160 channels at 10Gbps each. The tap diagram on TechRepublic uses optical photo decoder, but that’s not all I need to intercept the signal. How do I separate channels now? I have to have a demux equipment that costs tens of thousands of dollars. Let’s say I overcame this problem and I am able to distinguish between all 160 different wavelengths. The article then suggests, “(3). The converter changes the light pulses to electrical information that is placed on an Ethernet cable attached to an attacker’s laptop. The laptop, running sniffer software, provides the attacker with a view into the data traveling through the tapped fiber cable.”
How do I achieve 1.6 Tbps throughput on a ethernet adapter of a laptop? Isn’t gigabit ethernet all we have available for laptops nowadays? And where do I get enough CPU cycles from to sniff all that bandwidth flowing through my tap? (Not saying anything about wasting additional CPU cycles on decryption). And even if I achieve that where do I store all the TBytes of data that I am intercepting? Because I’ll need to analyze the data I am looking at to make sense out of them. How do I do this while the data is in “flight”? All of this calls for CPU power and storage space costing millions of dollars. And even if I have all that money how do implement all this in a field setup? This method of tapping calls for some kind of permanent arrangement. And if that’s true what are my chances of remaining undetected for a prolonged period of time?

question popular paradigms April 5, 2009 11:07 AM

What is it with education leading to snide behavior among so many? Just appreciate the frigging information and effort and back off on the daily use of stimulants to keep up with peers and pay scales.

For a group of scientists there is way too much emotional investment in these ideas. Breath.

Krzysztof October 25, 2011 10:52 PM

Hi All,

Very interesting article. I noticed that most of these discussion are very theoretical, more suited to academia.

I was wondering if anyone has examples of wiretaping (fiber or copper) in commerce? If we could find what is an impact of wiretaping then investing time and money to protect cabling would make more sense.

Thanks all,

Krzysztof

Sneid March 1, 2012 9:49 AM

Hi, i’m looking for some 80:20 fibre splitters. any online store that you would recommend?

Charles February 18, 2013 10:06 AM

Does anyone know of actual cases of fiber or copper cables being tapped anywhere from a building’s demarcation point to the wiring closet?

I’m wondering how often data theft happens inside a building’s riser system.

Juan May 29, 2013 1:55 PM

Interesting comments gentlemen. As a 45 year careerist in the clandestine world, you can’t even begin to compare tapping between copper and fiber. For starters, you don’t have to tap copper to eavesdrop..just place your pick-up line (coil) near the copper line and you’ll get the intelligence on the line via inductance coupling. On the fiber tapping..the missing word in all your comments is “surreptitiously” All highly sensitive links employ high tech computers which will detect and report and automatically shut down an interruption or degrading of nanoseconds. The one gentleman is absolutely correct however in that nothing in the tech world is impossible..it’s only a matter of how much effort and expense you’re willing to go in order to get it.

unk June 26, 2013 3:01 PM

Most people seem to not realise that most fiber cables exposed to the external world are trunk level commo so tapping and trying to demux multiplexed channels without knowing hom many channels and their array isnt simple. And when you have a kg or kiv sitting on there with daily variable updates trying to decifer and listen in isnt going to do crap. If a government is not willing to spend money on security then they are idiots.

Jeff June 10, 2016 11:51 AM

Tapping is definitely possible using micro-bending devices. They are used all the time when checking fibers for traffic/light during maintenance and cut-overs so as not to un-intentionally interrupt a traffic carrying fiber. the loss is typically less than .5db However the extracting of the useable information from that tap would be increasingly difficult especially if the fiber is carrying multiple wavelengths and high capacity 40gig and 80gig traffic on each wave-length!Is it impossible? No expensive and available today? I doubt it. However if you are talking local utility fiber traffic using simple single mode or multi-mode transport systems carrying 10gig or less traffic on a fiber in a single wavelength system (1310, 1550 etc) then it gets easier. I still am not sure the simple Ethernet cable can handle 10gigs but if very short maybe it can. Old school transport systems (SONET,SDH) use proprietary overhead as well. But if you information is primarily IP based then again that gets easier. Defeating or detecting these intrusions would rely on OTDR testing with baseline set-ups, There are already several systems out there that provide this capability. You can set up these systems either on active fiber or dark fiber, perform initial testing when accepting the fiber, input that baseline loss and event information and then set up the system alarm when that baseline changes and where. Some of these are tied into GIS systems that when properly base-lined and input can then show you on a map where the “change” is. You can set-up thresholds on the alarming notifications in very small db’s of loss. My two cents anyway.

Simple Solutions Sell February 13, 2017 6:16 AM

  • In-building, campus lines are very vulnerable.
  • agree on trunk security needed
  • great point on local 1310/1550 SM traffic…in the end, everything is local

The benefit has to outweigh the cost to pull fiber that cannot be tapped.

There are alarmed carrier/mechanical solutions, crypto graphics and active analytics to prevent data theft but the focus is on detection of intrusion and tampering.

Physical Layer Protection is necessary.

Gary Weiner October 15, 2017 9:46 PM

I see an entirely new thinking on optical fiber as a bigger part of physically secure transmission links.

Encryption, of course, is fabulous and vital, but keeping any and all software out of the hands of unintended recipients is not a bad idea, either.

Physically Un-Tappable Optical Fiber ideas are gaining support.

Thanks for the excellent blog Bruce, hope things slow down a bit for you, too.

Good discussion needed on the fiber itself!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.