Eavesdropping on a Fiber Optic Cable

It's easy to eavesdrop on a copper cable; fiber optic cable is much harder. Here's how to eavesdrop on a fiber optic cable: total hardware cost less than $1,000.

Posted on September 25, 2007 at 6:42 AM • 34 Comments

Comments

azeSeptember 25, 2007 7:58 AM

This is a very high expense attack against a relatively sophisticated enemy. For less than $100 you can get an 80 / 20 passive splitter (80% of light continues undisturbed, 20% is for monitoring). These come for free with most protocol analysers too (at 50k per analyser you'd hope so :-). In this case you just cut the fibre near the middle (or disconnect if you can access the ODF) and reconnect it with the splitter in line. Done quickly at night most victims won't notice and even if they do they'll just be glad the system came up again. "Nobody"'s going to dig a working fibre out of the ground to try to find the cause of even a five minute outage.

winterSeptember 25, 2007 8:06 AM

so how many of these and other devices are already out there listening? and, as aze pointed out, how many of us out there are going to be checking the lines for them?

ukSeptember 25, 2007 8:12 AM

I wonder how easy it would be to detect the loss in light and potentially quality on the cable. I once talked to some guy doing installation of optical cable, and he indicated that the receivers might notice the drop in signal quality. Maybe someone knowledgeable can enlighten us here...

monopoleSeptember 25, 2007 8:14 AM

Old Old trick and easily countered by OTDR monitors or cladding mode continuity checking.

monopoleSeptember 25, 2007 8:31 AM

Serious attacks use evanescent couplers and in come cases phase conjugation to dodge the power drop, but if you send along/monitor the cladding modes it will still be very difficult to do an undetected tap.

Microbends are a naturally occuring problem in fiber networks and the bane of cabling w/ fibers. As a result most folks that can afford them have optical time delay reflectometry (OTDR) units ($4k on ebay) essentially one dimensional "RADAR" units. The microbend tap described will light up like a Christmas tree.

Basically this is the fiber equivalent of a script kiddie attack.

sooth_sayerSeptember 25, 2007 8:36 AM

yes .. this "may" work for 1310 systems (common lan type) cable .. but for buried cables with multiple wavelengths and the loss budget tightly controlled, such a tap will be detected very quickly .. that is if anyone wants to.

Secondly it won't work for all the wavelengths .. that setup will get more elaborate.

Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it .. and that's not WEP.

Chris SSeptember 25, 2007 9:10 AM

First, everyone who points out that this is not quite as easy as it seems is correct. And, second, those pointing out that there are standard mechanisms to both prevent and detect this are also correct.

But there are also network managers out there planning a budget, and deciding that since "fiber is naturally secure" they can forego some of these expenses.

This item strikes me as important because of the economics - if the attack against one fiber is $1000, and the defense is an OTDR - per fiber - at $4000 (or cladding monitoring, which likely delivers at least a few false positive$) - then you need to realize that fiber is NOT a cheap security solution. It's a high bandwidth transport mechanism, and with all that data comes all that risk. Plan accordingly.

And although most of us likely don't face really well funded attackers -- http://www.wired.com/news/technology/0,1282,68894,00.html is a reminder of just how many barriers a well funded attacker can overcome.

Chris JSeptember 25, 2007 9:34 AM

With this attack you are causing loss in the fiber path by bending it to the point it loses its total internal reflective properties. Any microbend, caused by this attack or any other reason, can be picked up by an Optical Time Domain Reflectometer (OTDR).

jSeptember 25, 2007 9:38 AM

Hard to snoop on fiber using any of the bending devices when the fiber is in a pressurized gas conduit. :-}

NickSeptember 25, 2007 10:54 AM

For lines that aren't physically securable, would it make sense to use weaker fibers that will break before being bent enough to leak light? There would be an increased risk of accidental or malicious breakage. More pliable fiber would have to be used at junctions and bends, and these would have to be physically secured. Added connections between pliable and frangible fibers would increase installation costs and might interfere with transmission.

YosiSeptember 25, 2007 11:27 AM

Bruce, you are cryptographer. Not optical/electrical/mechanical/etc engineer. Why the hell are you talking about things you have no idea about?
"It's easy to eavesdrop on a copper cable" - depends, but not that simple as you might think.
"eavesdrop on a fiber optic cable: total hardware cost less than $1,000"
Total BS, as other pointed out already.

electric_cisspSeptember 25, 2007 11:46 AM

Well this is not totally off base. Granted it may cost you a little more than a grand but that all depends on what you lying around. This WILL work but there are a number of other factors to take into consideration. One, who’s on the fiber, 1 or 1000 users? I could overload the tap itself. Two, where are you applying the tap? Depending on where you are at you may not get anything (inside the wiring closet, back end of the switch, under the street, etc). Same is true for tapping copper. There are several defenses that may be employed to prevent this. Some have talked about using an OTDR but that is only good if you have a baseline and there are ways to defeat a TDR. I believe the point of this article is to make people, especially those who are into security arena, that these types of attacks do take place. Trust me, my RED TEAM, utilize these techniques.

Pigeon HoleSeptember 25, 2007 11:50 AM

@Yosi - To what one single narrow topic would you like us to confine your speech? English grammar?

YosiSeptember 25, 2007 11:55 AM

"Well this is not totally off base."
Yes it is. I'm not question the mere possibility to eavesdrop on fiber. But cost of such attack will be match more $1000. Chances that that such action will break several other laws in-process (like digging in private area). Digging? Cutting cables? Jail time awaiting anyone caught in-action.
Costs of such operation will definitely prevail the cost of information intercepted.
You may protect your house with a gun; but you don't buy SAM.

JakesSeptember 25, 2007 12:55 PM

Pigeon (----)Hole: grow up. It's obvious that Yosi's first language is not English. Cut him some slack.

Paul KiersteadSeptember 25, 2007 2:55 PM

Wow, fiber fan boys. Count me surprised.

For every measure, there is a counter measure. Each increment generally costs both sides. This very cheap method will attack the cheapest target, naturally the stakes can be moved up. It doesn't mean it is worthless, it just means it won't do *every* fiber cable. Why do so many have to take everything as absolute?

Not That AnonSeptember 25, 2007 3:05 PM

Thank you Paul for injecting a little common sense into this discussion.

How often have we heard that some technique is invincible? It is usually followed by some exploit being released into the wild. Given sufficient motivation and resources, anything can be breached.

That's all this says. If you disagree, kindly reread Bruce's books and blog.

Eirik SeimSeptember 25, 2007 5:58 PM

I see comments suggesting the value of information pulled from a fiber this way will be less than the cost of doing it... I actually have a hard time coming up with any business networks that do NOT carry potentially very valuable information.

At the very least, a strategically placed network tap could provide enough information to assist an active network penetration.

TomSeptember 26, 2007 12:51 AM

Yosi: This blog is titled "Schneier on SECURITY". Bruce talks about all sorts of interesting things (including squid on Fridays...)

I for one, enjoy nearly all of it.

Anonymous CowardSeptember 26, 2007 1:27 AM

Ummmm, so what...?

Usually business networks (either owned or via a provider) slap on something like triple DES on the end points..

And consumers who use the internet pretty much assume that all their conversations are interceptable and thus use HTTPS (padlock sign here? ok...) or other ways (that are Good Enough) of securing Important communications

Not really bothered if someone sees that am reading/ commenting this blog...

Dom De VittoSeptember 26, 2007 2:26 AM

The only difference between electrical and optical is the former can be done by induction, without breaking the protective sleeve.
The defenses (ensuring current/light is not lost) and attacks (taps etc.) are pretty much mirrored.
Oh, and fibre-splicing kits are expensive, but you can do it with a razorblade (or just a tight radius!), once you're the knack.
Things are for what they are for, nothing else.

Dom De VittoSeptember 26, 2007 2:30 AM

Oh, and that's just passive monitoring.
For $10k, you can go active, and boost the signal transparaently - a bit like inserting a powered hub in the path :-)

DaleSeptember 26, 2007 4:45 AM

Reference:

>Hard to snoop on fiber using any of the >bending devices when the fiber is in a >pressurized gas conduit. :-}

I know of places that do this. In clear conduit so you can physically see the cable and then you monitor for pressure drops.

paulSeptember 26, 2007 1:47 PM

Dale has it. And has since the mid-80s. People have been doing microbending since then, even using it for fiber-to-fiber coupling.

kgSeptember 26, 2007 5:08 PM

@sooth_sayer "Lastly there is one little thing called encryption used to fiber channels .. almost all 10G and even 2.5G signals have it"

To whose SDH platform are you referring to, because neither Fujitsu, Cisco, nor Juniper just "have it" (in some places it can be shoe horned on on the IP layer, or done in-line externally, but this is hardly the intrinsic property you suggest it to be).

On the 802 front, .1ae is on the way, which will be interesting in this regard, though I'm not aware of shipping product.

Does anyone know how much attenuation a microfiber tap introduces? While certainly detectable, I'm wondering if it could be brought down to be within the margin of error on typical DOM optics.

BillFSeptember 29, 2007 10:40 PM

Interesting... the devices that are shown on the TechRepublic site that lead one to believe that these are fiber optic taps, are indeed, test equipment that bends the fiber to detect the PRESENCE of signals, not to tap into the signal. I suspect that these are two quite different things... follow the link from TechRepublic to Network Integrity and you see once again, the picture of Optical Fiber Identifiers in a paragraph talking about tapping fiber..

Is tapping fiber "possible"?... I suspect so... but showing these pictures and intententionally misleading readers into beliving that there are fiber optic taps is poor journalism.

"possible"... but I also suspect very difficult and I wonder about the statement "For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run."

If fiber optic tapping is so common and easy, let's see some concrete examples, plans and diagrams. Or some documented examples other than the generic security charlatans that consistently say "somebody could"..

LeoJune 5, 2008 5:27 PM

Hi guys. If this type of fiber tapping is possible how realistic/practical is it? In general? Say, I tapped into a DWDM fiber hosting 160 channels at 10Gbps each. The tap diagram on TechRepublic uses optical photo decoder, but that's not all I need to intercept the signal. How do I separate channels now? I have to have a demux equipment that costs tens of thousands of dollars. Let's say I overcame this problem and I am able to distinguish between all 160 different wavelengths. The article then suggests, "(3). The converter changes the light pulses to electrical information that is placed on an Ethernet cable attached to an attacker's laptop. The laptop, running sniffer software, provides the attacker with a view into the data traveling through the tapped fiber cable."
How do I achieve 1.6 Tbps throughput on a ethernet adapter of a laptop? Isn't gigabit ethernet all we have available for laptops nowadays? And where do I get enough CPU cycles from to sniff all that bandwidth flowing through my tap? (Not saying anything about wasting additional CPU cycles on decryption). And even if I achieve that where do I store all the TBytes of data that I am intercepting? Because I'll need to analyze the data I am looking at to make sense out of them. How do I do this while the data is in "flight"? All of this calls for CPU power and storage space costing millions of dollars. And even if I have all that money how do implement all this in a field setup? This method of tapping calls for some kind of permanent arrangement. And if that's true what are my chances of remaining undetected for a prolonged period of time?

KrzysztofOctober 25, 2011 10:52 PM

Hi All,

Very interesting article. I noticed that most of these discussion are very theoretical, more suited to academia.

I was wondering if anyone has examples of wiretaping (fiber or copper) in commerce? If we could find what is an impact of wiretaping then investing time and money to protect cabling would make more sense.

Thanks all,

Krzysztof

SneidMarch 1, 2012 9:49 AM

Hi, i'm looking for some 80:20 fibre splitters. any online store that you would recommend?

CharlesFebruary 18, 2013 10:06 AM

Does anyone know of actual cases of fiber or copper cables being tapped anywhere from a building's demarcation point to the wiring closet?

I'm wondering how often data theft happens inside a building's riser system.

JuanMay 29, 2013 1:55 PM

Interesting comments gentlemen. As a 45 year careerist in the clandestine world, you can't even begin to compare tapping between copper and fiber. For starters, you don't have to tap copper to eavesdrop..just place your pick-up line (coil) near the copper line and you'll get the intelligence on the line via inductance coupling. On the fiber tapping..the missing word in all your comments is "surreptitiously" All highly sensitive links employ high tech computers which will detect and report and automatically shut down an interruption or degrading of nanoseconds. The one gentleman is absolutely correct however in that nothing in the tech world is impossible..it's only a matter of how much effort and expense you're willing to go in order to get it.

unkJune 26, 2013 3:01 PM

Most people seem to not realise that most fiber cables exposed to the external world are trunk level commo so tapping and trying to demux multiplexed channels without knowing hom many channels and their array isnt simple. And when you have a kg or kiv sitting on there with daily variable updates trying to decifer and listen in isnt going to do crap. If a government is not willing to spend money on security then they are idiots.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..