26 September 2001: Add responses on tapping repeaters.

23 September 2001: Add responses.

22 September 2001

Comments welcome: jya@pipeline.com


To: M
From: John Young <jya@pipeline.com>
Date: 21 Sept 2001

I've been told that vulnerable points in the telecomm network are the landfalls of undersea cables (especially latest fiber optic), or somewhat offshore if the landfall huts are protected. There are only a relatively small number of these compared  to the large number of national cables and wireless systems that branch from them.

The older cables' locations used to be shown on nautical maps to warn off ships, but I do not know if the newest  fiber optics are.

Satellites now carry a good amount of traffic once carried only by undersea wire cables but the fiber optics are expected to carry more than satellites.

(Aside: There has been recent discussion on whether NSA can tap the fiber optic cables, and if so, how much more difficult is it than tapping wire cables.)

Another vulnerability are the principal, central operations control facilities of telecomms which monitor national and international systems. There are only a few of these for all nations.

Then there are the interfaces between civilian systems and those for the military. Some military are said to be totally independent of civilian, but nearly all have some civilian aspect, if not that of providing services for classified systems then for interfacing classified and non-classified.

The companies which provide equipment and operational support for highly classified military telecomm systems could be vulnerable in ways the military components are not. There are dozens of these, giants which provide a range of services and smaller specialists. In particular, the companies which provide products and services for communications security would be attractive targets for physical attack, product compromise or personnel subversion.

On vulnerabilities of military systems: the Defense Science Board published a study in March 2001 called "Defensive Information Operations:"

http://cryptome.org/dio/dio.htm

This 270 page report outlined vulnerabilities of military and civilian information systems and what needs to be done to protect them. I would guess that it had a classified component not made public.

National military command systems, classified intelligence systems, public emergency communication systems, law enforcement communication systems, and others for which there is little public information, in varying degrees interface with and depend upon civilian telecommunications infrastructure. What I am told is that there are not a whole lot of people who know how the whole thing works and what its most vulnerable points are. ATT, Lucent (Bell Labs), MIT and other US and non-US telecomm research facilities which helped invent, build, modify, upgrade and operate global governmental, military, intelligence and civilian systems, have researchers and databanks on the infrastructure which could be vulnerable to attack, extortion, kidnapping, bribery, burglary, even theft of information on vulnerabilities which might not be discovered for years afterwards, as we have seen in several espionage cases.

Now, you probably know everything I've told you and much more. What do I have to offer that is not frequently discussed on the Net? Not much. I guess I would call attention to the vulnerabilities of physical facilities which house telecomm systems. And in addition to simple burglary I would highlight the hazard of compromising emanations of protected data, especially that data that controls the operation of telecomm systems. Acquisition of that control data and its use to disrupt systems, or to corrupt the data with injection of erroneous commands, is what many national security agencies are probably working very hard on, for defense and for attack.


From: TB
To: <jya@pipeline.com>
Subject: telecom vul.
Date: Sat, 22 Sep 2001 15:16:18 -0600

For the switched network, the key weakness is the 20-30 STPs (signal transfer points) that route the signaling traffic (call setup, billing, teardown, features, etc.) for all calls. The software protocol is called SS7 (signaling system 7).

There are only a few worldwide builders (basically it is a high reliability minicompure) of these switches, hence it is also vulnerable to software trojans. An example of the impact of software failure was the mid 90's 8 hour collapse of ATT long distance from a common bug (ironically designed to improver failure recovery) that caused the isolation of 80 million subscribers on the east coast.

'Intelligent Network' features such as 800 #'s, calling cards, caller ID, 911, etc. are also handled by the SS7 network.

The cell network tries to go wire line as fast as possible, and also uses SS7 gateways.

Most 'first world' international signalling also goes through  international SS7 gateways.

The STP switches (minicomputers) are crosslinked by dual or quad (rarely used) low speed circuits. The box itself is often located in a local switching office or tandem office, with the same level of protection (often pretty good) as the other switches in the CO.


From: DH
To: jya@pipeline.com
Subject: Fiber optic cable tappable? YES
Date: Sat, 22 Sep 2001 16:50:13 -0500

(Aside: There has been recent discussion on whether NSA can tap the fiber optic cables, and if so, how much more difficult is it than tapping wire cables.)

Well, the answer is: if you can tap a copper cable at depth, you can tap a fiber optic cable bundle at depth as well.

Why? Repeaters.

Fiber optic cables only carry their signals for a short distance (relative to the span of the Atlantic Ocean) and must be regenerated at points along the way.  This is true because glass passes light of  different wavelengths with varying efficiency, and the mirror of the outer surface of the fiber has less than 100% reflectivity.  Some light is absorbed, and some is slowed down relative to the rest.

"The first commercial fiber optics system installed in 1977, operated at 45Mb / second with repeaters required at 4 mile intervals." (At the time of his writing in 1986, the maximum was around 30 miles)

Source: p. 418 Dow Jones-Irwin Handbook of Telecommunications, James Harry Green, 1986

Fortunately for the cable-tapper, regeneration is accomplished electronically.

These repeaters can be tapped in a manner quite similar to the copper cable bundles, which also must be regenerated over the vast distances involved.  It's cheaper and easier to do this at the repeaters in  both types of cable for the simple reason that the splicing is already 90% accomplished; all that must be done is to "make the cable dry" by bringing it into the submersible and open the repeater without alerting the owner.

In the case of cables owned by U.S. companies, one may assume that this trouble can be avoided by  cooperation at the fiber headend on dry land, provided the agency tapping them is also based in the United States.

Many sources of information about fiber optic repeaters populate the web, but most concern the FDDI use of fiber optic cable for local area networks of computers.

"A Repeater is used to extend the distance covered by a network or to add more stations to the network. It overcomes limits on the length of a network or the number of stations imposed by electrical characteristics. A single network can be expanded, or small networks can be joined by adding Repeaters. When networks are expanded or joined, each of the smaller networks becomes a segment of the larger network. Each segment has the same limits on length and number of stations as a single network withouta Repeater."

"Two types of Fiber Optic Repeaters are described in this manual:

"1. The CBR-2 is intended for applications where the fiber optic segment is less than 2 km in length or a passive star coupler is used with few ports and very short spurs."

"2. The CBR-3 is intended for applications where the fiber optic segment is up to 8 km in length or a passive star coupler is used with many ports or long spurs."

Source: http://www.relcominc.com/carrier-band/handbook/repeatermanual.htm

Some sources specific to Trans-oceanic Fiber Cable also imply how the repeaters are powered:

From the Wall Street Journal, 26-June-86, included without permission.
Survey:  Sharks Prefer AT&T Lines By Wide Margin Over Sprint, MCI

By Bob Davis
Staff Reporter of The Wall Street Journal

Just when American Telephone & Telegraph Co. thought it was safe to go into the water, sharks began dining on its newest undersea telephone-communications cable.

It seems the sharks just can't get enough of AT&T experimental underwater fiber-optic telephone cable near the Canary Islands. They munch on its plastic covering, gnaw on its electrical innards and eventually short-circuit it-even though they may electrocute [Good clue there...] themselves in the process.  At least, "we came up with some pretty effective shark bait," says an AT&T spokeswoman.

At first, AT&T engineers didn't know what was causing the cable failures.  Then they raised the cable and found rows of shark teeth sticking out of it.  "Sharks will always be attracted to magnetic fields," which the fiber-optic cables create, says James Barrett, an AT&T engineering official.

Transatlantic Race

That's the big problem because AT&T is hurrying to complete the world's first transatlantic fiber-optic cable by 1988. The cable uses glass fibers instead of copper wires to transmit conversation and data.  AT&T's old cables generally are shark- free because they don't emit much magnetism.  But a shark bite helped knock out the Canary Island fiber-optic cable for a full week.

AT&T says it can combat the sharks by reinforcing stretches of the cable with steel wire and quickly patching breaks that occur. But the company's shark problem has attracted another kind of predator."

Some resources:

http://www.agere.com/index.html

http://www.lucent.com/press/1098/981015.nsa.html

http://www.cdmeyer.com/tycointeractive.htm

http://www.newswire.ca/releases/December1999/27/c6852.html


Date: Tue, 25 Sep 2001 14:28:04 +0200
From: Frédéric Grosshans <frederic.grosshans@iota.u-psud.fr>
Subject: Re : Fiber optic cable tappable?

In the file http://cryptome.org/telecomm-weak.htm I could read the following senetence :

> Fortunately for the cable-tapper, regeneration is accomplished electronically.

This is not true anymore, at least for transoceanic cables. Since 1993 (?) the repeater in the optical fiber networks ar all-optical Erbium doped fiber amplifiers (EDFA). The only electronic of an EDFA is a laserdiode, used only to bring energy to the Erbium ions.

To say it short, the EDFA amplifies the signal without "reading" it. This allows complex multiplexing schemes without needing to decode it and encode it again at each repeater. The repeater can therefore be quite simple and inexpensive.

That probably makes the eavesdropping more complex than described in the file, but certainly not impossible. (Since I work in the field of quantum cryptography, I have to concede that my standard for "impossible eavesdropping" are pretty high.)

             Fédéric Grosshans

--

Frédéric GROSSHANS
Institut d'Optique - B.P. 147 - F91403 Orsay cedex - France
e-mail définitif/permanent e-mail adress : frederic.grosshans@m4x.org
Bureau/Office (33) 1 69 35 88 13        Fax      (33) 1 69 35 87 00    
Labo  /Lab    (33) 1 69 35 87 32        Mobile (33) 6 09 24 29 64


Date: Tue, 25 Sep 2001 21:49:56 +0000
From: Anatole Shaw <anatole@mindspring.com>
Subject: fiber optic repeaters

Says DH at http://cryptome.org/telecomm-weak.htm -- "Fortunately for the [fiber optic] cable-tapper, regeneration is accomplished electronically. These repeaters can be tapped in a manner quite similar to the copper cable bundles..."

But, to quote the European Parliament's 11 July 2001 report on ECHELON, "The new-generation fibreoptic cables use erbium lasers as regenerators -- interception by means of electromagnetic coupling is thus no longer possible! Communications transmitted using fibreoptic cables of this kind can thus only be intercepted at the terminals of the connection."

Just another person paying attention,