The growing security risk of fibre tapping

Data traversing wide area networks is under growing threat from fibre tappers, as Stuart Sumner reports

Routine maintenance work or a cleverly disguised team of fibre tappers in action?

Corporate datacentres, with their vast stores of business-sensitive information, present a tempting target for criminal groups. Unfortunately for the would-be cyber crook, today’s enterprise security systems are so sophisticated that hacking into an enterprise datacentre is nigh on impossible.

But what if there were another way to get at this valuable data that circumvented mosttraditional security software?

Welcome to the shady world of fibre tapping, where instead of physically accessing a site or attempting to hack into it, the cyber criminal simply taps the optical fibre leading up to it.

Cases of fibre tapping are relatively rare, but with the cost of fibre tapping devices falling and the number of enterprises storing sensitive data in remote datacentres growing in tandem with the rise of cloud computing, many more are likely in the future.

“Industrial espionage is happening today,” said Christian Illmer, senior director at ADVA Optical Networking. “Over 50 per cent of German enterprises [for example] are confronted with economic espionage and tapping attacks today.”

So why have these attacks not been more widely reported? Illmer pointed out that rules governing disclosure are not consistent around the world.

“Would you tell your customers if you lost data? Probably not,” he said. “What we’ve seen so far is the tip of the iceberg.”

In the past this form of espionage was the sole preserve of intelligence agencies. Today, the capability is within the reach of a well-funded hacker.

“You can buy a non-intrusive tapping device on eBay for about $1,000 (£633),” said Illmer. “The data stream isn’t interrupted, you just take some of the light.”

He explained that this form of non-intrusive attack is very difficult to detect. If a user were monitoring the link, they would see only a very slightly higher level of loss, perhaps from 20dB to 21dB. This is certainly not sufficient to trigger many alarms, he added.

So criminals can access the data stream, but whether or not the information is of any use to them is another question. The amount of data travelling over a length of fibre can be huge, with commercially available Wave Division Multiplexing (WDM) systems enabling 64 or more simultaneous data streams.

“If you’re tapping into a link, you have to know what you’re looking for,” said Illmer. “There could be as many as 80 data streams.”

One way in which cyber criminals can siphon data is by using a protocol analyser, which intercepts and logs the passing traffic, as well as analysing its content. At a basic level, it helps to separate the wheat from the chaff.

The hacker then knows where to focus their efforts, so the most valuable information is captured. The risk of detection is low, up-front investment is low, operating costs are next to nothing, but the potential reward is high. Any legitimate enterprise would jump at such a business model.

There are steps that a business can take to protect itself, however. It could, for example, ensure that it controls access to the land in which the fibre is buried, but this can be both impractical and expensive.

An alternative is to provide physical protection to the fibre cabling in the form of a steel tube. A current can be passed over the tube to monitor its integrity, so that if a persistent hacker does manage to penetrate it, at least there is a warning.

However, this approach is expensive, and not infallible. If a hacker has the means to tap a length of fibre and analyse its data, the chances are they also have the means to penetrate a length of steel.

There are tools available to monitor optical performance across the fibre, such as optical time-domain reflectometers (OTDR), that can reveal a range of issues such as fibre breaks or bends, deficient fibre splices, damaged connectors or other issues that degrade or destroy the performance of services.

“You can also use OTDR to see where an illegal tap is,” said Illmer. “But it takes time to react, and during that time you’re losing your data.”

The security technique recommended by Illmer is encryption. A criminal may still gain access to the data, but without the cipher, it will be of no value.

A business can use file system encryption on a server, but this uses valuable CPU time, and requires implementation on a per-server basis, meaning it cannot be centrally managed.

It can also encrypt the backup system, which again consumes CPU capacity, reducing backup performance, and crucially does not secure the original data in transit.

The method recommended by Illmer is on-the-fly encryption, where devices are set up at both ends of a network connection to ensure that the data passing through is secure.

Illmer urges enterprises to consider the threats, and implement the necessary strategies to frustrate criminal groups.

“The consequences of a breach could be devastating,” he said.