Sniffing my neighbour's FTTH
Some time ago, a year more or less since My Game of Trojans in the ISACA Challenge, I was thinking about if my neighbour could analyse my FTTH traffic, and if I could do the same, finding a weekness in the GPON standard which is usually deployed by most ISP in Spain and that we shouldn't confuse with the EPON standard. In fact, this was actually an excuse to study and learn how this networks work.
Why would I wanted to know if I could sniff FTTH traffic? Because reading and speaking with my workmates we noticed that downloading traffic from the OLT arrives to any ONT in the neighbourhood. Therefore, if my downloading traffic arrives to my neighbour's house, his downloading traffic arrives to my house too. However, uploading traffic doesn't work in the same way because uploading traffic from ONT only arrives to the OLT. This is the way how P2MP (Point to MultiPoint) networks work like MetroEthernet E-Line can work. Is this ilegal? Of course, we shouldn't implement an ISP In The Middle (IITM) attack but it deserves to know what an evil neighbour can do.
|GPON Downstream Transmission|
|GPON Upstream Transmission|
First, I was thinking about spoofing. How can we spoof an ONT? For the registering process between an OLT and ONT, we need the Serial Number (SN) or SN+Password of our neighbour's ONT. Maybe the password is hardcode in the ONT but SN will be different for each ONT, although we can walk around of our neighbour's house to get it. In addition, ISP engineers aren't used to asking for SN when a new ONT is installed, but they run an auto-discovery process in the OLT to find new ONT and allow them. Anyway, we are interested in analysing our neighbour's traffic and not to spoof his ONT.
The next step was to know if traffic is encrypted. According to the standard GPON: ITU-T G.984.3, downstream is encrypted with the symmetric algorithm AES-128 and upstream isn't encrypted because it isn't needed. Can we decrypt the downstream traffic? What is the process to encrypt? Both, OLT and ONT, have a MSK (Master Secret Key) which I think could be get from a reverse engineering. However, we already know that an evil neighbour can't get upstream traffic, thus ONT generates a plaintext data key (P) to produce a ciphertext data key (C), which is sent to the OLT, with the next formula:
C = AES-ECB(MSK, P)
Once OLT has the ciphertext data key (C), along with MSK, OLT can figure out the plaintext data key (P) generated by ONT. Therefore, from my point of view, and my knowledge, an evil neighbour couldn't decrypt our FTTH traffic.
P = AES-ECB-1 (MSK, C)
On the other hand, studying and reading about GPON, I have remembered how Time Division Multiple Access or TDM works, which is used by most FTTH, although ISP offers till 300 Mbps today with Statistical Time Division Multiplexing or STDM. However, the future is to install P2P (Point to Point) networks with Wavelengh Division Multiplexing or WDM like the Next Generation PON2 or NG-PON2 which uses Time and Wavelength Division Multiplexing or TWDM which is more secure because traffic reaches only to the right ONT.
Regards my friends and remember, your FTTH traffic is in your neighbour's house too.