Fibre network security

Two AltNets are currently installing fibre networks in my village. After 30+ years of very indifferent broadband coverage by OR, and given that OR presently have no plans for FTTP here within the next 5 years, it's all rather exciting.

I understand that most Altnets use Passive Optical Network (PON) topology. This implies that all packets go to all users who are downstream from the same splitter. Presumably each ONT filters out packets intended for other users by some address mechanism?

If Moriarty is on the same splitter as me, how easy would it be for him to hack his ONT so that he can read my stuff? Sort of like an ethernet sniffer in promiscuous mode? Or should everything sensitive on such a network be end to end encrypted?

In reply to a post by Thaumaturge:

Two AltNets are currently installing fibre networks in my village. After 30+ years of very indifferent broadband coverage by OR, and given that OR presently have no plans for FTTP here within the next 5 years

... or at least not yet announced ...

In reply to a post by Thaumaturge:

it's all rather exciting.

I understand that most Altnets use Passive Optical Network (PON) topology.

As does Openreach.

In reply to a post by Thaumaturge:

This implies that all packets go to all users who are downstream from the same splitter. Presumably each ONT filters out packets intended for other users by some address mechanism?

If Moriarty is on the same splitter as me, how easy would it be for him to hack his ONT so that he can read my stuff? Sort of like an ethernet sniffer in promiscuous mode? Or should everything sensitive on such a network be end to end encrypted?

The OLT<=>ONT traffic is encrypted using AES in both directions. However as far as I can tell, the keys are generated by the ONT and sent in the clear; the security relies on the fact that it's very hard for one ONT to sniff packets sent upstream by another ONT (since the majority of light arriving at the splitter will continue upstream). More details in this paper.

In any case, the PON uses two different wavelengths for send/receive; the ONT is tuned to send on one wavelength, and receive on a different one, with very strong filters to allow simultaneous transmit and receive. This means that an attacker would need to plug in highly specialised equipment to learn the keys of other users; just changing the firmware on an ONT would be insufficient.

Therefore, it's very likely that your neighbour is not going to be able to read your traffic. You should however assume that the spooks *can* read your traffic, since they'll have access further up into the network anyway.

All your downstream packets are AES-128 encrypted (as per the GPON standard) and your upstream packets are on different TDM timeslots.

Man in the middle attacked are theoretically possible, and there have been academic papers published in the past on the topic, but the security for GPON etc standard is fairly robust.

Incidentally the same technology is used by Openreach and CityFibre as well as the various AltNets with the exception of those that use point-to-point technology for the customer loop.

In reply to a post by candlerb:

You should however assume that the spooks *can* read your traffic, since they'll have access further up into the network anyway.

Therein lies the rub.

In reply to a post by Thaumaturge:

If Moriarty is on the same splitter as me, how easy would it be for him to hack his ONT so that he can read my stuff? Sort of like an ethernet sniffer in promiscuous mode? Or should everything sensitive on such a network be end to end encrypted?

To do a proper man-in-the-middle attack Moriarty would not only need to defeat the encryption key exchange / renewal process, he would also need to physically splice into the PON at some point.

Even though upstream traffic is not encrypted, to be able to see your (or any other ONTs) upstream traffic, Moriarty would need to either insert a 'sniffing' splitter in front of the main 32-way PON splitter. Easier said than done.

Moriarty would have to actively amplify the signal, at the point he spliced his 'sniffing' splitter into the PON - without doing so and inserting a passive two-way splitter into an active PON would drop the light levels in the PON - either simply knocking all the OLTs in the PON out completely and/or triggering a management alarm on the OLT as the light levels from all the other ONTs would suddenly halve...

When OR/CityFibre/AltNet then fire an OTDR trace down the PON they would be somewhat surprised to 'see' an extra splitter in the PON I dare say.

Thanks guys for prompt replies. Especially for the referenced paper, which looks very interesting, and which I will read with care. (I knew a Tomas Horvath in a previous life, but I don't think it can be the same one.)

Sorry if it was a dumb question, but up until a few weeks ago FTTP was a distant dream in this neck of the woods, and I hadn't paid much attention to it. I'm now trying to get up to speed asap.

I'm sure OR have all sorts of plans that they haven't announced. I'm retired and an OAP, and have no access to inside info. I can only go by what OR publish on their website. Also I didn't say anything about OR's fibre network design, PON or otherwise. That's irrelevant here, and I haven't gone into it.

I am also aware that the spooks can read more or less anything they want to, notwithstanding any end to end encryption that I might be able to deploy . The Snowden disclosures in 2013 left little doubt about that, and I'm sure they haven't stood still since then. As I type this I'm wearing a T-shirt that reads: "GCHQ - always listening to our customers".

In reply to a post by Thaumaturge:

Thanks guys for prompt replies. Especially for the referenced paper, which looks very interesting, and which I will read with care. (I knew a Tomas Horvath in a previous life, but I don't think it can be the same one.)

Sorry if it was a dumb question, but up until a few weeks ago FTTP was a distant dream in this neck of the woods, and I hadn't paid much attention to it. I'm now trying to get up to speed asap.

I'm sure OR have all sorts of plans that they haven't announced. I'm retired and an OAP, and have no access to inside info. I can only go by what OR publish on their website. Also I didn't say anything about OR's fibre network design, PON or otherwise. That's irrelevant here, and I haven't gone into it.

I am also aware that the spooks can read more or less anything they want to, notwithstanding any end to end encryption that I might be able to deploy . The Snowden disclosures in 2013 left little doubt about that, and I'm sure they haven't stood still since then. As I type this I'm wearing a T-shirt that reads: "GCHQ - always listening to our customers".

If you were not on a list, after that admission you now are.

In reply to a post by Thaumaturge:

Two AltNets are currently installing fibre networks in my village. After 30+ years of very indifferent broadband coverage by ORand given that OR presently have no plans for FTTP here within the next 5 years, it's all rather exciting.

Given that BT only launched a commercial ADSL service in 2000, that's pushing it a bit!

Maybe so, but I'm old enough to remember having used acoustic couplers and V.21 modems at 300/300 bps!
I can recall what an advance V.32 was, offering 9600/4800 bps.

I raise you Prestel 1200/75 (bits per second, not megabits per second). And people complain about asymmetric speeds these days