2

I read in another post that wired traffic is not protected:

The only real additional threat that a malicious network administrator would pose, is that they have access to the wired side of the network also. On the wire, traffic is not protected by the same encryption (WEP/WPA/WPA2) that applies to the wireless connection. Anyone on the wire could then sniff your traffic as if it had been sent across an open (unprotected) network on the air.

If this is true, how would I know if someone is "on the wire?" I am referring to my laptop being plugged into my cable modem via ethernet cable and my apartment being a massive hotspot of wifi and ethernet. Can someone still snoop my connection if they are not physically connected to my modem?

user7149
  • 129
  • 2
  • 8

2 Answers2

4

To clarify, your question is about detecting a passive sniffer on the wire. Therefore I will not discuss detection of much noisier ARP spoofing MitM attacks.

Since a passive sniffer only "reads" packets without responding or modifying them, these is virtually no way to detect it. However, if you know the Ethernet cable length to your next hop, you can measure the distance using either hardware or the cable diagnostic testing software that is packaged with most modern network drivers. If the sniffer is beyond the next physical hop (beyond the uplink port of the access switch you connect to), then this technique is useless.

In the future, we may use quantum communications to ensure privacy on both ends of a link. A sniffer would have to both measure and observe the state of qubits traversing a link, which is impossible according to the Heisenberg Uncertainty Principle. They would be unable to re-transmit the proper qubit states on egress of its sniffing device.

The current day countermeasure to communicating across potentially compromised links is using encryption. HTTPS, SSH, SFTP, etc. are all protocols utilizing encryption, meaning if they were sniffed on the wire their contents would be useless to the attacker. It would be a jumbled, unreadable mess.

armani
  • 2,658
  • 19
  • 20
  • If the wire and the switch are visible, a passive tap can be seen. So it's not undetectable. Anyone doing packet sniffing on another port and not doing ARP poisoning can only see his/her own traffic. A switch only routes traffic bound to it, not everyones traffic like a hub (which hasn't been in common use for 20 years) – Steve Sether Jun 23 '15 at 04:54
  • Except that many switches (especially home routers) includes a single broadcast port for diagnostic purposes meaning that for this one port the device is acting as a hub. – David Scholefield Jun 23 '15 at 06:15
  • I don't think I've ever seen a home router with such a port... – user253751 Jun 23 '15 at 10:17
  • @SteveSether Of course if a tap is visible, you can detect it visually. Often, connections run through walls or are otherwise out of sight so it's not always a guarantee. – armani Jun 23 '15 at 14:27
  • @DavidScholefield I agree with immibis on that one, I've never seen home hardware with that capability. – armani Jun 23 '15 at 14:27
  • Dumping all data to a specific port is a feature of more expensive managed switches (as I said below). It also generally requires admin level access to enable it. – Steve Sether Jun 23 '15 at 15:06
  • So it sounds like if you're on an ethernet connection, the only way to snoop internet activity is by having a physical device to tap into the network. Do I have this correct? – user7149 Jun 23 '15 at 17:02
  • @user7149 No. ARP poisoning allows you to intercept traffic as well. This answer for some reason ignores ARP poisoning, which is very simple to do. – Steve Sether Jun 23 '15 at 17:21
  • Ok so ethernet connection is susceptible to ARP poisoning. So I'm still confused how an attacker can get into my network to if I am plugged into my modem via ethernet and using Tor browser and VPN. Easy it safer to surf via wifi with WPA2 protection, rather than just using ethernet? – user7149 Jun 23 '15 at 17:33
  • I believe the Draytek Vigor range of home ADSL routers have diagnostic ports that are not 'switched' but act as broadcast hubs see http://www.draytek.co.uk/products/business/vigor-2860#9-specification which are used in homes in the UK quite regularly (hence the links on google to setting them up with BT infinity). Just for completeness.. – David Scholefield Jun 23 '15 at 17:52
  • @SteveSether My answer specifically ignores ARP poisoning MitM since, as my first sentence explains, the question was about passive sniffing *ON THE WIRE*. Perhaps the OP isn't aware of all the ways an Ethernet connection's transmissions are susceptible to interception, but that is not what is being asked here. – armani Jun 23 '15 at 19:13
  • I really am not aware of all the vulnerabilities with Ethernet connection. @SteveSether, I'd love it if you could explain more. I want to know whether I'm doing the right thing by choosing ethernet over wifi. – user7149 Jun 23 '15 at 19:49
  • 1
    @armain The question is about a user being concerned about people intercepting traffic in his apartment building. That includes ARP poisoning. – Steve Sether Jun 23 '15 at 21:04
  • 1
    @user7149 If someone were able to get access to a machine in your network (a printer, a refrigerator connected to your network, a TV, etc), they could perform ARP poisoning and listen to traffic on your network. That's why people are concerned about all these unpatched devices, like a TV that can act as a platform for attackers to gain more access to your network. Thus a good reason to use SSL whenever possible. – Steve Sether Jun 23 '15 at 21:08
  • Ok, thank you so much for that. This explains a lot. I have people accessing my apt all the time so I bet they used my printer and router/modem to initiate these mitm attacks. Just curious, how do they go about this? Do they plug up a computer to my network devices to do the ARP poisoning? – user7149 Jun 24 '15 at 02:36
2

In an environment like an apartment building, the main threat would be ARP poisoning. There's a variety of tools to detect this threat, better covered in this SE question reply

The other, less likely attack scenario would be through a switch that supports dumping all traffic to a monitoring port. This would require a switch that supports this feature (generally more expensive managed switches), and administrative access to the switch. There's also commercially available taps that would allow someone with physical access to the switch to sniff traffic.

As far as detection goes, the physical taps could be seen on the switch. To detect monitor mode on a managed switch would require administrative access to the switch to see if it's enabled.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76