There are spies in your fibre!

By Benjamin Cher April 15, 2016

Eavesdropping on fibre-optic cables now possible with off-the-shelf equipment
Encryption doesn’t help – you need to get physical, says one expert

MOST of the world’s Internet traffic passes through mostly unsecured undersea cables – you know, the ones that are sometimes damaged by ships, bringing surfing speeds to a crawl and leading to you cursing your ISP (Internet service provider).

That is actually the least of it. These unsecured cables also allow anyone with the proper equipment to peer into Internet traffic. And this kind of equipment can now be had for a low price.

Fibre-optic networks used to be considered safe from cyber-eavesdropping, but that has changed, warns Scott Penno, Asia Pacific regional marketing manager at Allied Telesis.

“If you were to have asked me this question three to five years ago, I would have said it is a near impossible task – or almost practically impossible – because the methods available to tap information from fibre-optic networks were expensive,” he says.

“In fact, one of the key attractive characteristics of optical fibre was its immunity to eavesdropping.

“But now, as surveillance technology has progressed, it has become a threat.

“Fibre-optic cables can be easily intercepted, interpreted and manipulated using standard off-the-shelf equipment that can be obtained throughout the world,” he adds in a recent conversation with Digital News Asia (DNA) in Singapore.

Currently, most networks do not have any method to detect such taps, making it easy and safe for intruders to conduct state and corporate espionage.

“In Asia, we hear concerns coming more from nation-states due to the terrorist threat,” says Penno.

“From the attacks in Bangkok, Paris, Turkey, and Jakarta, to the most recent one in Brussels, the possibility of terrorist groups eavesdropping on fibre-optic network is certainly there, and it does get on the nerves of governments,” he says.

READ ALSO: Cybersecurity a constant battle: F-Secure CEO

Light-tapping

There are spies in your fibre! Fibre-optic cables transmit information via light, and to any layperson, this might make it seem impossible to tap and listen into.

However, this is far from the case, with low-cost solutions already out in the wild, according to Penno (pic).

“It has been demonstrated that optical fibre can be tapped without the fear of being detected using a low cost ‘clip-on coupler.’

“This is a temporary coupler used to connect a fibre-optic instrument to a single-mode fibre when access to the fibre end is not possible,” he says.

In other words, the clip-on coupler is able to bend the optical fibre to tap the signal without having to access the end of the cable.

While current taps have a less-than-ideal insertion loss – the loss of signal strength when a component is inserted into a transmission or network – they are sufficient to allow corporate and nation-state espionage.

“Optical taps with an insertion loss of 3dB (decibels) are available for less than US$1,000,” says Penno.

“Military and intelligence organisations need a lower insertion loss, such as 0.5dB,” he adds.

Physical protection

With geopolitical tensions in the world rising, and the terror threat always looming, Penno believes that it would only be a matter of time before fibre-optic eavesdropping becomes part of the arsenal.

Encryption can help, but only to an extent – there are still ways to crack encrypted traffic using Secure Socket Layer (SSL), a protocol used to manage the security of messages transmitted via the Internet, he notes.

But this is where intrusion prevention systems built into the physical layer can help, he argues.

“Nations and businesses can protect their secrets and existence by continuously having protocol-independent, real-time physical layers monitoring their fibre-optic networks,” he says.

“Physical layer intrusion prevention systems can identify and differentiate between optical signal injections and eavesdropping, cable breaks, transients, receiver overloads, and high optical loss,” he adds.

As with most aspects of cybersecurity, detection is the first step. Such systems can figure out which fibre is being tapped, and then traffic can be routed around it.

“We need to monitor both primary and backup paths, then isolate the affected path,” says Penno.

The system can “then re-route traffic using route protection switching, then finally, notify the management system,” he adds.

Companies would still have to install hardware in front of the fibre switch to ensure the cables remain untapped, he notes.

Related Stories:

Encryption genie is out of the bottle: Ex-NSA director