Optical networks are vulnerable to several types of security breaches or attacks, typically
aimed at disrupting the service or gaining unauthorized access to carried data, i.e., eavesdropping. Depending on the aim of the attack, security breaches can induce financial losses to the clients or cause network-wide service disruption, possibly leading to huge data and revenue losses.
Although optical fibres are immune to electro-magnetic interference and do not radiate carried signals to the environment, the exposure of optical networks to eavesdropping poses a considerable security threat. Eavesdropping in general is aimed at gaining unauthorized access to data in order to collect or analyze traffic. In today’s digital era, eavesdropping occurs on all network layers from the application to the physical layer, with new instances being revealed at almost daily basis.
Several occurrences of eavesdropping at the optical layer have been recorded, primarily targeting governments and the financial, energy, transport or pharmaceutical sectors. Based on the method of realization, eavesdropping attacks can be classified into attacks with direct access to the unencrypted optical channel and those based on breaching the encryption key in encrypted optical systems.
Eavesdropping via Channel Access (ECA)
A common method of realizing eavesdropping attacks is directly accessing the optical channel via fibre tapping, i.e., removing the fibre cladding and bending the fibre to cause the signal to leak out of the core and onto the photo detector, capturing the information. Tapping devices which can be clipped onto the fibre and cause micro-bends to leak signals and deliver them into the hands of the eavesdropper are easily accessible on the market. Furthermore, existing tapping devices cause losses below 1 dB and can go undetected by commonly used network management systems (NMSs).
To detect such intrusions, NMS needs to be enhanced with intrusion detection alarms triggered by insertion loss changes on fibre connections. Obviously such detections require an active monitoring system running across the network. Another possible way of accessing the channel is via monitoring ports, which are typically present at different network components, such as amplifiers, wavelength selective switches (WSSs) or (de)multiplexers. The optical signal is mirrored by an optical splitter to allow connection of monitoring devices without traffic interruption. By obtaining onsite access, an attacker could use these ports to listen to the carried traffic
Eavesdropping via Key Access (EKA)
In order to protect the carried data from eavesdropping, encryptions methods are used, implemented in optical transponders. Such encryption cards are commercially available by most vendors. An example solution by Alcatel Lucent relies on encryption of the data packets using encryption keys which are transferred over the NMS isolated from the data payload. Typically, encryption keys are managed by the end user. However, key management software is installed on the user side which can serve as another point of attack reaching the operator NMS system.
Service degradation attacks
The goal of service degradation attacks at the optical layer is to degrade the quality of service or cause service denial, typically by insertion of harmful signals into the network. High-Power Jamming (HPJ) Attacks High-power jamming is realized by inserting an optical signal of excessive power (e.g., 5 – 10 dB above other, legitimate signals) on a legitimate wavelength used in the network.
In networks comprised of fixed Optical Add-Drop Multiplexers (OADMs) without any wavelength blocking functionality (e.g., variable optical attenuators), high-power signals can damage the co-propagating user signals inside their common optical fibres, amplifiers and switches.
In optical switches, jamming signals can affect legitimate signals at the same wavelength by increasing the in-band crosstalk. Signals traversing common physical links with the jamming signal can suffer from out-of-band effects in optical fibres and amplifiers. In fibres, jamming signals give rise to out-of-band crosstalk by leaking to neighbouring channels and/or increasing non-linear effects.
In erbium-doped fibre amplifiers (the most commonly used type of amplifiers), a jamming signal out of the working range can cause so-called gain competition, in which weaker legitimate signals are robbed of gain by the stronger jamming signal, while the attacking signal gets additionally amplified.
Alien Wavelength Attacks (AWA)
In order to allow for network upgrades and efficient transmission of high-capacity connections over the existing infrastructure, operators are forced to implement alien wavelengths in their network.
The presence of alien wavelength can create a significant vulnerability to network security depending on the management of alien wavelengths. About 40% of networks today are still simple fixed OADM based point-to-point networks where the control and management system has no information on the performance of the alien channels. Consequently, signal power and frequency cannot be controlled. Furthermore, if network nodes are based on splitters and WSSs in a broadcast & select configuration, alien wavelengths are launched in the network unfiltered.
In such systems, alien wavelengths can be exploited to realize various methods of attacks (e.g., jamming) and present a big risk for network providers. In more intelligent networks, the alien wavelengths are managed by the NMS, i.e., a channel is configured as a friendly wavelength, allowing the management system to have information of signal parameters, but still no control over their values. In newer generation networks, a dedicated interface is defined to host alien wavelengths with the role to tune its power levels but still will not have control of the frequency of the alien channel
Signal Insertion on Monitoring ports (SIM) Attacks
All-optical components are equipped with external monitoring ports, which give rise to certain security vulnerabilities. In addition to providing a means for potential eavesdropping, monitoring ports could also be used to insert signals into the network and damage live traffic.
Introduction of software-defined networking (SDN) enables decoupling the data and the control planes, which are vertically integrated in currently used network equipment, and logically centralizes the control plane. Alongside numerous benefits, such as simplified and automated end-to-end service provisioning, better utilization of network resources via infrastructure customization to user requirements, and increased network flexibility, SDN might also introduce certain vulnerabilities to network security.
The most important part of software-defined networks, in general and from a security perspective, is the SDN controller, which serves as a control interface between the hardware and a large set of SDN applications, including applications which perform traffic engineering or gathering data. Gaining control over such functionalities might represent a desirable target for malicious attacks. SDN controllers could be used to insert viruses, e.g., harmful applications which connect to the controller, and gaining access to the data, or potentially hijacking the network.
Data Centre Networks
Today’s businesses rely on using multiple data centres located in mutually distant physical locations in order to ensure disaster recovery and business continuity in the presence of failures. To guarantee for quick disaster recovery, the stored data and applications must be replicated in multiple data centres. Synchronous replication, in which the storage array which initiates replication waits for the acknowledgment of successful transfer by the receiving storage array, allows for the greatest reduction of data losses in the presence of failures. Due to the fact that each transfer must be acknowledged before the next one can initiate, the process is very sensitive to the
network latency, limiting the maximum distance suitable for synchronous replications to 100 – 200 km.
The replication process can be targeted by attackers who aim at gaining unauthorized access to the data or at service disruption. By inserting an extra length of fibre, the network can suffer a latency attack. Although optical transport network (OTN) frames include the definition of latency measurement, real-time monitoring of latency is not implemented in most networks, which complicates detectability of such attacks.
Data Hacks Demonstrate Networks’ Need for Optical Protections
Information technology computer scientists at Karlsruhe Institute of Technology (KIT) have demonstrated how data can be transmitted to LEDs — contained in regular office devices such as a printer — using a directed laser. The demonstration shows the ability for data hackers to secretly communicate with “air-gapped” computer systems over distances of several meters.
According to the team, this shows that in addition to conventional information and communication technology security, critical IT systems must also be protected optically. The collaborative work with researchers from KIT, TU Braunschweig, and TU Berlin was presented in Dec 2021 as the LaserShark attack at the 37th Annual Computer Security Applications Conference (ACSAC). The project focuses on hidden communication via optical channels.
Air-gapped computer or network systems are those that have neither wired nor wireless connection to the outside world. In its demonstration attack, the team showed that an adversary can use a directed laser beam to introduce data into air-gapped systems and retrieve data without additional hardware on the attacked device. “This hidden optical communication uses LEDs already built into office devices, for instance, to display status messages on printers or telephones,” said Christian Wressnegger, a professor and head of the Intelligent System Security Group of KASTEL — Institute of Information Security and Dependability at KIT.
Though they are not designed to do so, LEDs can receive light. By directing laser light to already installed LEDs and recording responses, the researchers established a hidden communication channel over a distance of up to 82 ft that can be used bidirectionally. The channel reached data rates of 18.2 kbit/s inward and 100 kbit/s in the outward direction.
This type of optical attack is possible in commercially available office devices, the researchers said. They published the program code used in their experiments, as well as the raw data of their measurements on the LaserShark project website, to foster future research on covert communication channels and help bridge the air gap.
References and Resources also include: