RE: Fiber optic vampire taps

[<David () cawdgw net>]

If I remember correctly, it was about five years ago that the mandate came
out of the NSA that Protected Distribution Systems (PDS's) with fiber were
required to be metal vice plastic, because a monitoring technique had come
out that could "read" the pulses on the strands from something like a meter
away.

This might be absolute male bovine excretement, but when I questioned the
reasoning based on the requirement for intrusion detection of the PDS, as
emissions on fiber did not occur, I was told signalling could be detected
through plastic at close range, whereas through metal the emissions would be
too weak to read. I'd think the only emission from fiber whould have to be
heat in the infrared range.

I'm unable to find any mention of this anywhere. Just a document from the
NSA making the requirement.



-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Monday, December 23, 2002 8:27 PM
To: Nick Iglehart
Cc: security-basics () securityfocus com
Subject: Re: Fiber optic vampire taps


I believe, if my memory isn't failing me, that I read mention of
this a few years back; perhaps research in AT&T? The cladding does
indeed have to be stripped clear, baring the naked fiber. Then the
fiber is carefully, delicately bent past its minimum rated radius of
curvature, in a little jig that holds a receiving fiber positioned
to pick up the light as it leaks out.

I suspect impedence matching would be tough, so I suspect the end
result would have a very low signal level. I don't know whether some
sort of optical amplifier, or perhaps custom NIC hardware with a
higher-than-usual sensitivity listening device, would be required to
actually decode the tapped the light.

I've never heard of these gizmos being available commercially.

This situation is why many regard fiber as intrinsically fairly
secure.

In principle, a detector could report on received light levels with
enough sensitivity to detect a successful attack on the fiber.
Another grade of kit I've not heard of for sale.

Perhaps it would be easier to do your own manual attenuation;
perhaps deliberately coil a little of the fiber at one end, gently
tightening the coil (past minimum recommended radius of curvature)
until the attenuation causes actual packet loss, then backing off
slightly; if you had a fiber that just _barely_ didn't work, any
attempt to tap it would push it badly into packet loss, so normal
network monitoring should be able to detect a tapping attempt.

The traditional solution, when you are concerned about such, is to
armor the whole fiber run in pressurized conduit, set alarms to go
off if the conduit pressure changes, then post guards keeping a
close enough watch to prevent someone from setting up a pressure box
to set up their tap.

-Bennett