73

I'm an electrician doing a job at a secure site. The client is concerned that someone could plug an Ethernet over power (EOP) connection into the switch and then connect elsewhere in the building. Is this possible and if so, how can I prevent it?

The room is secure with a dedicated three-phase supply and no power circuits extend out of the room.

Peter Mortensen
  • 877
  • 5
  • 10
phil
  • 631
  • 5
  • 4
  • 1
    Network Engineering Stack Exchange is the right place for this question –  Aug 11 '15 at 10:23
  • 5
    What does "dedicated 3 phase supply" mean? Does the room have an own transformer? PLC's can not bridge transformers (AFAIK). – Philipp Aug 11 '15 at 10:46
  • @KagueiNakueka It might also be a problem for https://electronics.stackexchange.com because it's a problem with electrical installations. – Philipp Aug 11 '15 at 10:57
  • 33
    In all honesty, this is very much related to physical security. I'd be happy to have this question here on Sec.se – Lucas Kauffman Aug 11 '15 at 11:08
  • 2
    FWIW, I'd say this question definitely has a solid security aspect, although there may not be perfect answers to be had. – Rory McCune Aug 11 '15 at 11:54
  • 9
    Does your client have a threat model? There's a big difference between trying to stop Joe Schmoe from grabbing an off-the-shelf tool and James Bond trying to get data out surreptitiously. Many things which stop Joe Schmoe cold don't even faze Bond. Many things designed to thwart Bond are overly expensive to buy, maintain, and operate. – Cort Ammon Aug 11 '15 at 17:36
  • 1
    Is your network room protected by a dedicated ups? It might already be filtering unneeded frequencies. – Brian Duke Aug 11 '15 at 20:23
  • 6
    If he's that worried about someone tapping into his network, he should be authenticating ports on his switches. – Johnny Aug 11 '15 at 21:31
  • 1
    While this is definitely an interesting question, I'm puzzled: **why does he care** if random people in the building build a network? Is _he_ using Ethernet over power for _his_ network? – o0'. Aug 12 '15 at 08:52
  • 4
    @Lohoris the worry is about building a stealthy backdoor into the server room over the power lines. – schroeder Aug 12 '15 at 19:20
  • @Lohoris It can be used to transmit information out of a secure area to another place where it can be intercepted. – reirab Aug 12 '15 at 21:26
  • 7
    Do they also disrupt WIFI and cellular networks? What about walking out with a USB stick full of data? If not, why would an attacker use EOP when simpler options are available? Feels like a red herring. – Schwern Aug 13 '15 at 05:29
  • I agree with @Schwern: unless he is also protecting against WiFi and cellular network, this is entirely pointless. USB sticks instead of quite different, since it's not a persistent connection. – o0'. Aug 13 '15 at 08:29
  • 1
    @Lohoris A few of the comments on answers offered that a rogue WiFi network can be detected with a simple automatic scan, which is true, while EOP might go undetected. However, you could do the same thing with EOP if you plugged a scanning device into the circuit. – Schwern Aug 13 '15 at 19:44
  • 1
    @Schwern and neither of these methods can be used against a cellular network… – o0'. Aug 13 '15 at 19:53
  • 1
    If an adversary can get an unauthorized piece of hardware connected to your network within the secured area, then that is already a pretty significant breach of security. Trying to enumerate all the possible ways in which this device could communicate with the outside world might be futile. Here is what I can think of: power lines, WiFi, cellular, other radio communication, light, ultra sound, covert channel over Ethernet, sneakernet, or it might simply operate autonomously and not need communication. – kasperd Aug 16 '15 at 15:43

7 Answers7

39

This is relatively simple if the two ends of the network path are either:

  • On two different phases of the building's 3-phase supply
  • From different power supply cabinets

It is possible to filter out the high frequency components that the signal uses, leaving only the 50 (or 60) Hz mains supply - in fact many power smoothing components do this by default. It is cheap and simple.

In this instance, because you have a dedicated phase, it becomes very easy. In reality very little signal crosses between phases. There could be some, but it will be miniscule. Filter high frequencies from either phase, and the likelihood of getting any signal on one of the other two is effectively zero. See my other answer at https://security.stackexchange.com/a/9728/485

The wider solution, however, is to define in policy or contract that this is not allowed, and then track down breaches of policy and do whatever is necessary - this may be disciplinary action. Detection of signal is relatively easy, as the frequency hopping signal is obvious to spot on a spectrum analysis - although as most Powerline uses encryption you may not be able to identify what the traffic is.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
28

I am an electrical power engineer with a strong background in computers and IT. This is not an entirely unreasonable fear, but probably unlikely due to the fact you would need extensive physical access to pull this off. As mentioned, power line networking cannot pass through transformers. So ideally you should have a transformer in the secure space that will stop any rogue network signals from exiting the room. If you have 480V-3ph coming into the room, you will already have a step-down transformer. Otherwise you should install a 1:1 transformer, or potentially a 1:1 transformer for each phase, at the point where the circuit enters the room to prevent any signals leaving the room. A line filter could also be used to filter out the high frequency network signals. I have not seen a high power line filter for an entire feeder, but that doesn't mean it doesn't exist.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
feik
  • 381
  • 2
  • 2
  • A 1:1 transformer? Are they sold as this? Is there another name for them? – StackzOfZtuff Aug 11 '15 at 15:11
  • 10
    Two words for anyone who downplays the insider threat: "Edward Snowden". – Iszi Aug 11 '15 at 15:25
  • 25
    @Iszi: Is it really appropriate, on a site dedicated to information security, to use ugly terms like "insider threat" to smear a whistleblower who revealed serious, widespread violations of information security? – Mason Wheeler Aug 11 '15 at 15:31
  • 41
    @MasonWheeler It's not a smear at all. He was an authorized system administrator who pilfered and disclosed massive amounts of data beyond his authority - the very definition of an "insider threat", regardless of the outcome of his actions or the nature of his intentions. It's a simple matter of fact, which is pertinent to the discussion at hand. What character assessments may be made based on his actions are irrelevant to the truth of that fact, and also are not of interest to this discussion. – Iszi Aug 11 '15 at 15:33
  • 10
    @StackzOfZtuff Yes, 1:1 (one-to-one) transformers are out there but not overly common. They are primary used to filter noisy power electronics or add inductance to a circuit. A common type of 1:1 transformer is an isolation transformer. We used these all the time in high voltage RF environments, they filter the noise and prevent high voltage shorts from traveling down the circuit and/or ground wires, thus the name isolation xfmr. – feik Aug 11 '15 at 15:40
  • 1
    @bkief 1:1 transformers are used quite often, but for different purpose which is galvanic isolation. – rkosegi Aug 11 '15 at 18:40
  • You can find lots of inexpensive (used) isolation transformers on ebay. They're *extremely* common for medical equipment, and often get replaced with the equipment, though they needn't be. – Fake Name Aug 11 '15 at 19:26
  • Don't count on a isolation transformer to block RF over powerlines -- I'm running a home powerline network across two legs of my 240V service feed and it works reasonably well -- I get around 25mbit (using adapters rated for 100mbit). I don't know if the signal is going through my service feed and through the power company's transformer, or through inductive coupling of wires in my walls, but it works. – Johnny Aug 11 '15 at 21:29
  • 1
    @Johnny I'll take your word for it that you are using opposite legs of your split-phase 240V service and getting a network setup, but a split phase transformer has a different design than an isolation transformer which makes it much more likely for a signal to pass across the two split legs. I highly doubt there is any signal on the high side of the transformer though. I have seen isolation transformers do a excellent job of blocking RF noise in power cables. – feik Aug 11 '15 at 21:50
  • @bkief - I've confirmed that they are opposite legs, the breakers that control the outlets are on opposite buses on the breaker panel. I'm skeptical that the signal is really traveling all the way outside through the service entrance up to and through transformer on the pole and back down the other leg, it's more likely that the lines are coupled since they run next to each other past the service panel which means that even a perfect isolation transformer won't help if the wires from different phases run next to each other. – Johnny Aug 11 '15 at 22:15
  • I hear that 1:1 mains transformers, also called isolation transformers, are often used for medical devices that plug into mains power. It may be easier to find the kind of transformers travelers use to plug North American devices into 2:1 mains transformers plugged into European walls, and plug European devices into 1:2 mains transformers plugged into North American walls; plugging a 1:2 transformer into a 2:1 transformer creates a combined device that is effectively a net 1:1 transformer. – David Cary Aug 11 '15 at 22:38
6

Perhaps the easiest way to mitigate this "issue" is to avoid running direct Mains voltage in sensitive areas.

I will assume first of all that your data center has a full Faraday Cage around the entire facility given and your employees all wear tin foil hats when working on the servers. Since it is arguably easier to install a single Wifi AP on your network as opposed to two separate HomePlugs in your building.

Now back to the answer. All you really need to do is isolate the entire server room from the mains power using a AC-DC-AC bridge. This may sounds like an insane expense, but you are likely to already have that in place. Many UPS designs are based on a AC-DC-AC bridge with the DC side hooked up to a bank of batteries.

"All" you have to do is move all the UPS equipment into a shielded room (with NO network access) and then rewire your server room to only be connected to the UPS directly.

Aron
  • 763
  • 4
  • 13
  • wifi access points are noisy and detectable, EoP is silent and stealthy – schroeder Aug 12 '15 at 19:16
  • -1 for the second paragraph. Any attacker trying to get data out of a secure facility needs a transmission path. AC lines have been a common way for them to do so for decades (even back when it was usually just analog audio from a covert mic.) Also, secure installations usually do monitor for rouge Wi-Fi APs (which is often all Wi-Fi APs, since most high-security environments forbid Wi-Fi entirely.) – reirab Aug 12 '15 at 21:32
2

If he can bridge the switch with the EOP connection, he can also directly download the information on a flash drive. I would be more worried about that. There are even SD cards with built-in wireless capability.

Or he could just add any type of wireless router. This could even be on a non-standard frequency (like the ProxyHam that was in the news recently). The frequency could be from longwave (which would go through a Faraday cage without problems and would require really sophisticated magnetic shielding), shortwaves up to lightwaves (infrared). Wireless modules are very cheap and easy to set up.

Also note that ethernet over power has a very limited range due to design tradeoffs (the high data rate). If someone with electronics skills makes different tradeoffs, the range can be much larger.

A typical PLC module has 10W of output power. With this kind of power it is possible and very easy to set up a wireless link around the world (at the expense of the data rate).

Here is one guy who set up a connection over 20000km using only 5W of power (http://www.ft817.eu/qrp-long-path-qso-to-australia-5-watts-with-yaesu-ft-817/)

An AC/DC/AC UPS has no guarantee that it will filter out high frequency components.

Even if the UPS filters the frequencies, crosstalk between the input and output cables can couple the secure and public sides.

Propagation of electromagnetic waves is very very difficult to predict in practice. You could get a spectrum analyzer and prove that nothing propagates past your UPS (actually it is not that easy, because the signal could be below the noise floor), but when someone puts in electrical cables not connected to anything, they might bridge the systems through capacitive coupling.

If your customer really needs to be protected against a rogue transmitter (which could be PLC or anything described above), he needs to have a fully shielded room with a filter built-in directly into the shield.

https://en.wikipedia.org/wiki/Tempest_%28codename%29

If this is not required, not having any open network ports and padlocks and tamper evident seals on the equipment could be a cheap fix.

Edit:

I don't have the reputation to comment on the answers recommending a spectrum analyzer: I agree with those, but would like to add that it is not easy to find a clandestine signal on a spectrum analyzer for three reasons:

  • You are looking at an enormous frequency band. This band will have many thousands of frequencies from radio stations, switching power supplies, monitors and soon. Each emission will show up as multiple peaks on the spectrum analyzer due to intermodulation effects. Looking at the display, you will see tens of thousands of peaks, and each single one could carry out the information. You will have to positively identify every single one of them. This is not made easier by the fact that legitimate radio stations come and go all of the time, switchmode supplies change the frequency due to different loads etc. Even if you see a peak, you have no idea if it contains secret information. A LCD screen for example will create something that looks like harmless noise, but actually contains everything shown on the screen.

  • A clandestine emission can be hidden in the noise floor. If the attacker only wants to take out a small amount of data (1kb/s or so), the signal can be impossible to find.

  • The attacker can always use a timer to transmit only at night, when you are not looking at your spectrum analyzer.

tl;dr: it is impossible to check a signal for clandestine information content. The only way is to:

  • Build your Faraday cage with all the filters in the wall in place, but don't run the equipment.

  • Use a sensitive spectrum analyzer to see if you can receive any radio emission inside of your cage. (Not an easy measurement)

  • Apply a very strong signal to your power lines and see if it propagates through the filters.

  • Always keep in mind that there is a tradeoff in SNR/bandwidth and information rate. A sophisticated attacker can always penetrate any shield, all you can do is reduce the bandwidth of his channel with better filtering rate.

With signal processing it is possible to detect a beating heart in a collapsed building (developed to search for earthquake victims). How do you prevent the attacker to move out signals by mechanical vibrations? Changes in the air pressure? Changes in the power consumption of the equipment? A smart electricity meter can detect which TV program you are watching. To avoid this, you'd need to have a generator inside of your secure area (and always run it at constant power).

Better solution is to disable network ports and also lock power outlets. Have one for the cleaners and one for service technicians and put a padlock on when they are done. You can find all kind of equipment searching for the keywords logout/tagout.

[I don't work in computer security, but I deal with electromagnetic interference and radio communications. I know how difficult it is to shield unwanted signals. My recommendation is to do an analysis of the threats (protection against malicious data theft by a trained adversary with suitable resources, protection against stupidity) and then see what you can live with.

It makes no sense to use a shielded room if someone unsupervised can walk in and copy the data onto a flash drive.

If protection against malicious RF transmission is really an issue, you'll have to get an expert in the field and probably do heavy construction to do shielding, create a secure area around your Faraday cage and so on.]

guest
  • 29
  • 2
1

A slightly different approach - search anyone entering the room for networking equipment, and don't allow it in. And storage devices, cameras, and other ways of copying information to be removed from the room.

Obviously you can combine this with filters on the power line, but if it's possible for someone to connect the machines inside the room to an unauthorized network and that's a problem, then it may equally a problem if they carry in a networked disk drive and walk out with it later. (Or just stick a USB drive in, but you can physically block the USB ports. Of course if the machines inside don't need networking, you can block their network ports too.)

On the other hand, obviously it's expensive. But at the only Faraday caged isolated server room I've encountered, there was a guard on the door.

armb
  • 622
  • 4
  • 9
  • 1
    (Of course it also assumes/requires that authorised users of the room will tolerate that sort of treatment.) – armb Aug 12 '15 at 11:01
  • Or do both. Layered security is a good thing. – reirab Aug 12 '15 at 21:34
  • That's why I said "Obviously you can combine this with filters on the power line" :-) – armb Aug 12 '15 at 21:37
  • And cameras? The last company that I worked at had a secure server room with full camera coverage. Seems like that, combined with a physical check, would mitigate a LOT. The problem is that the OP never really defined HOW secure this environment needs to be. As other posters have said, users might find this level of security intolerable. Then again, if I were doing work in the White House I'd expect something like this. – Rick Chatham Aug 13 '15 at 19:54
  • Though you then have the problem that if whatever is in the room is classified, anyone monitoring a live feed from the cameras has to be cleared to see anything that might become visible, and the feed is another thing that penetrates the room boundary to worry about. Recording cameras where the recording can be viewed inside the room (or some other secure location) if something needs to be reviewed later are another option, but don't help at the time. If it really has to be this secure, the OP probably isn't allowed to give details. – armb Aug 14 '15 at 13:48
  • (Cameras just monitoring the door so that if anything unwanted is later found you can check who might have left it are a lot cheaper than a guard though. Unless Tom Cruise is dangling from your air vents to avoid the door and cameras.) – armb Aug 14 '15 at 13:51
1

Is it possible?

Is it possible to transmit information over A/C power lines? Sure. Covert surveillance attackers have been doing varying versions of this for decades (long before Ethernet over Power came around.)

A covert surveillance attacker (i.e. a spy) needs three things to get information out of a secure facility:

  1. Something to collect the data (e.g. a microphone for audio, a camera for video, or a connection to the LAN in the case mentioned by the OP of an unauthorized connection to a secure network.)

  2. A transmission path leading out of the area being surveilled. This is your AC power line in this case, though other common examples include broadcast RF (anything from an FM radio transmitter to a Wi-Fi AP or station to Bluetooth, to frequency-hopping and/or spread-spectrum transmitters designed to avoid detection,) phone lines, Ethernet lines, lasers, IR blasters, modulated visible light, pipes, or even the steel support beams in your building. Note that the latter cases could be used as conductors in some cases, but they could also be used directly to transmit audio via pressure waves. A steel support beam that passes through a secure room will allow anyone who can access that beam to listen to everything going on in the room, for example.

  3. Access to the other end of said transmission path.

What to do about it?

The previous suggestions of installing filters or isolation transformers on the lines are good ideas, but you'd need to make sure the isolation is sufficient and that you have such isolation for every secure room.

Another possibility would be to insert a lot of broadband RF noise on the lines intentionally, especially if there are specific frequencies you're concerned about, such as those used for Ethernet over Power.

It would also be advisable to monitor the lines for RF frequencies (which obviously shouldn't be present on power supply lines.) This can be done by checking the lines with an RF spectrum analyzer that has an A/C power line probe. Several companies that specialize in counter-surveillance make these and lots more companies that create electronic test equipment for electrical engineers also make spectrum analyzers to which such a probe could be attached.

With a spectrum analyzer, you'll see a peak at the frequencies being used by the covert transmitter. You'll also see any other signals on the wire, such as noise created by large electric motors, for example. Basically, if you see anything that looks like an intentional RF transmission on an AC power line, that's a major concern and whoever is doing the monitoring will need to track it down.

Disclosure: I'm a software engineer at a company that makes counter-surveillance products, including RF spectrum analyzers.

Community
  • 1
reirab
  • 2,683
  • 1
  • 13
  • 21
  • The idea of intentionally inserting noise makes sense especially when combined with the other idea of a transformer. Insert the noise on the outside circuit. Any bug on the inside would need an exceptionally strong signal before filtering to overcome the noise after filtering. – MSalters Aug 13 '15 at 08:58
0

Ethernet over Power is not your problem.

The problem is: People can connect devices to your switch and access your network! There are ways to prevent this, and this is what you should do.

Else, what is if someone connects a Wifi Access point to the switch and connects to this network in another room in the building?

Or what is if someone connects a small UMTS/LTE gateway to the switch and connects to the network from anywhere on the planet?

Or what if someone just installs a device that sniffs traffic and stores it and then later retrieves that device?

There should no one be able to access this secure room, and no unknown device should be able to just connect to the network.

Josef
  • 5,903
  • 25
  • 33
  • wifi access points are noisy and detectable, EoP is silent and stealthy. Technicians need access to the secure room. – schroeder Aug 12 '15 at 19:18
  • 1
    They could just be using it to transmit room audio or audio collected off of a phone tap, for example. – reirab Aug 12 '15 at 21:33
  • EoP creates so much radio interferences, it's also easily detectable. But they can just as well use GSM/UMTS to transmit data or just store it in the room. Of course you can find a way to prevent EoP. It just won't change anything on your security in reality! As I said, EoP is not your problem. Don't fixate on this little detail. If you have a proper security strategy and all bases are covered, THEN maybe care about EoT, if it is still a problem (it likely won't be). If you plan a motorbike tour trough the desert, would you take 15 spare axles because one might break before taking enough gas? – Josef Aug 13 '15 at 08:24