Short: Trust The Wire, They Always Told Me! On Practical Non-Destructive Wire-Tap Attacks Against Ethernet
Matthias Schulz, Patrick Klapper, Matthias Hollick, Erik Tews, Stefan Katzenbeisser
Ethernet technology dominates enterprise and home network installations and is present in datacenters as well as parts of the backbone of the Internet. Due to its wireline nature, Ethernet networks are often assumed to intrinsically protect the exchanged data against attacks carried out by eavesdroppers and malicious attackers that do not have physical access to network devices, patch panels and network outlets. In this work, we practically evaluate the possibility of wireless attacks against wired Ethernet installations with respect to resistance against eavesdropping by using off-the-shelf software-defined radio platforms. Our results clearly indicate that twisted-pair network cables radiate enough electromagnetic waves to reconstruct transmitted frames with negligible bit error rates, even when the cables are not damaged at all. Since this allows an attacker to stay undetected, it urges the need for link layer encryption or physical layer security to protect confidentiality.
It is often assumed that Ethernet cables are less prone to eavesdropping than wireless technologies when attackers do not have physical access to the network cable and devices. This paper challenges that assumption by performing a wireless probing attack on 10BASE-T Ethernet over twisted-pair cables, comparing success for various types of Ethernet cable shielding. The results show that near-field probes can capture data exchanged through the Ethernet wire without tampering with it or damaging it in any way.
The reviewers found the implementation and evaluation of the attack compelling and believe the paper is an interesting experiment to practically prove the scientific result discovered by Bell Labs in the 1940s about information leakage by electromagnetic radiation. It is valuable that the authors discuss the feasibility of the attack on 100BASE-TX and 1000BASE_T and suggest countermeasures to protect against the attack.
Although the authors argue the practicality of the approach against more advanced technologies, the reviewers feel the need for real-world experiments to demonstrate the validity of these arguments and feasibility of the attack in realistic scenarios. The countermeasures suggested by the paper sound reasonable (although not novel). However, such countermeasure might be costly and impractical in real-world settings.