Re: Fiber optic vampire taps

["Talisker" <offthecuff () lineone net>]

Hi

Fibre can be tapped, the first and most noticeable is to break the fiber
insert your TAP and then re-enable the circuit.  Intrusion Inc demonstrated
a pretty cool Fiber TAP to me at
http://www.intrusion.com/products/technicalspec.asp?lngProdNmId=39&lngCatId=
4
There are 2 problems with doing this covertly, the first is that the circuit
has to be broken, but as you can fusion splice 4 new tails on in around 1
minute this will just be seen as a glitch by most and be ignored.   However,
most fiber circuits do have records regarding their losses which are
available for scrutiny and can be compared, introduction of a fusion splice,
if my memory serves me correctly, will introduce around 3dB loss.  That is
when I do a fusion splice experts reduce this significantly almost to the
point where there is no significant loss.

Optical Time Domain Reflectometers (OTDR) will graph losses over distance,
this is a great security tool and you can see splices and TAPs in line.
However, unless the losses are significant you need a benchmark OTDR graph
for each fiber.  Furthermore, fibers do degrade over time, especially in
areas with X-Ray radiation (hospitals etc)  therefore it would be difficult
to identify if an anomaly was malicious or just degradation.   As an OTDR
plots over distance you can see where the problem is ie 300' from point A

Back to the original question, vampire TAPs are feasible by removing the
cladding and bending the fiber such that the refractive index is altered
allowing some light to escape.  2 years ago when I asked an expert the same
question I was told that the multiplexing and complex makeup of channels
make it very difficult to reconstitute meaningful data, especially as
today's bandwidth increases.  Vampire TAPs are detectable with an OTDR.

I used to use fiber transceivers which would alarm if the signal strength
dropped, but after 12 months of 900 devices with 600KM of fiber alerting,
the false positive rate was unmanageable.

Hope this helps

take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Alvey Robert W KPWA" <AlveyRW () kpt nuwc navy mil>
To: <nick () systemsecuritysolutions com>; <security-basics () securityfocus com>
Sent: Monday, December 23, 2002 10:47 PM
Subject: RE: Fiber optic vampire taps


> In order to tap into a fiber line you have to break the sheath.  The
signal
> is entirely optic, if you don't break the sheath you can't even see the
> signal.  However, even if someone does decide to break into it then
they've
> got another problem, exactly how to do it, it's extremely difficult
because
> any sort of tapping into the signal seriously degrades the link, that's if
> it doesn't go down entirely, and it would be immediately noticeable if
> someone was tapping into your fiber line.
>
> -----Original Message-----
> From: Nick Iglehart [mailto:nick () systemsecuritysolutions com]
> Sent: Friday, December 20, 2002 3:41 PM
> To: security-basics () securityfocus com
> Subject: Fiber optic vampire taps
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have a client who has a fiber optic line between two buildings.
> There is no physical security and so they are concerned about someone
> tapping into the fiber line and capturing data.
>
> I read something a while back about tapping fiber optic lines without
> breaking the sheathing and now I can't seem to find anything but vague
> references to it.  I have googled for hours and checked the sf archives
with
> no luck.  Anyone have any references to this?  Any help is appreciated.
>
> Nick
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPgOqcKq/UK5/FuEgEQJrawCgqX64DN0KqFv4h373stMEcU70vB8AoMZ3
> 9YU6ysv+TwubV0jkbfAJ3K5n
> =LoN2
> -----END PGP SIGNATURE-----