Hacker News Re-Imagined

Ghost in the ethernet optic

  • 221 points
  • 2 days ago

  • @rcarmo
  • Created a post
  • • 65 comments

Ghost in the ethernet optic


@pabs3 2 days

Replying to @rcarmo 🎙

I wonder if it is GPL compliant, including the ability to update the Linux kernel/etc.

Reply


@kloch 2 days

Replying to @rcarmo 🎙

There are two main uses for this kind of thing.

- Legit: debugging/monitoring. Other legit uses are theoretically possible but the device has severe limitations that likely make them impractical or unwise.

- Surreptitious: This is clearly where the value proposition of this device lies. An optic could be "unknowingly" swapped out on an interesting link to snoop on or infiltrate a network.

Swapping out optics in a large network is not uncommon as they do fail. More often they are swapped out as a troubleshooting step where the original optic may not even be bad. This way log messages indicating link flap and replacement of an optic could likely go unnoticed.

Reply


@jauer 2 days

Replying to @rcarmo 🎙

Things like this have been around for nearly (at least?) 10 years, but are not well-known outside of spaces that care about telco-style demarc & OAM systems.

An example from ~2012 would be the RAD MiNID which is available in a handy "sleeve" format where you can use your normal SFP with the smart SFP.

Pretty cool to see a writeup of this sort of thing (and increased vendor representation).

Reply


@w7 2 days

Replying to @rcarmo 🎙

Last year on another transceiver (QSFP28) teardown[0] I was surprised to find out that transceivers not marketed as "smart" also have SOCs inside them to regulate internal temperature. I had always thought the devices were "dumber" and never bothered to look inside.

So programmable CPUs in your transceivers might be more common than one would think.

[0] https://twitter.com/kwf/status/1470508119725805570

Reply


@mmastrac 2 days

Replying to @rcarmo 🎙

While researching EEPROM flashing on AliExpress SFPs, I discovered that many of these do support SSH. I suspect that even the smaller ones might have tiny Linux onboard.

Example:

https://forum.mikrotik.com/viewtopic.php?t=116346

https://github.com/hwti/G-010S-A

Reply


@snickmy 2 days

Replying to @rcarmo 🎙

(random thought) It surprises me how, despite working in the tech industry for over a 15 years now, I struggled in following the details of this blog post (which is well written). It's so impressive how things got very complex over time, and how verticalize the role of an Engineer is becoming.

Reply


@CountDrewku 2 days

Replying to @rcarmo 🎙

Yeah I feel like this would be mostly used for nefarious purposes since it wouldn't be obvious it was there. Other than that I can't think of any way that it's better than just a raspberry pi.

Reply


@NavinF 2 days

Replying to @rcarmo 🎙

Fascinating! Tho I can’t think of that many use cases where a 1G hub and raspberry pi can’t do the job.

Reply


@ale42 2 days

Replying to @rcarmo 🎙

This seems so nice for NSA-like implants...

Reply


@userbinator 2 days

Replying to @rcarmo 🎙

What caught my eye was the pixelated serial numbers. Also, the fact that the part and serial numbers are plainly visible in a few pictures, but not others.

Reply


@rytill 2 days

Replying to @rcarmo 🎙

He said

> But such a feature could also be used to create a fake 169.254.169.254 (AWS/Cloud metadata IP address endpoint) and serve requests from it.

Wouldn’t such a thing be impossible if the application is using end-to-end encrypted requests to AWS?

Reply


@ptsneves 2 days

Replying to @rcarmo 🎙

I am surprised they used debian and not Yocto or buildroot, for an embedded device. Would anyone speculate on why debian would be preferred?

Reply


@phoronixrly 2 days

Replying to @rcarmo 🎙

I find this very interesting. Most of my concerns with using this would be alleviated if I was able to flash my own image onto the SFP, e.g. an OpenWrt installation. (Disclaimer: no offence to the people that produce this product, I'm an equal opportunity closed source firmware avoider:)

The author mentions that 'In a more premium software package for the smart-sfp you can configure ERSPAN sessions with filters'. Selling a more expensive software package for the SFP would be a reason to lock it down and prevent others from offering competing (including open-source) software.

Another interesting aspect is the communication with the programmable logic. What is implemented in the FPGA? Is it purely signal processing? Is there packet inspection and filtering? Could the communication between the CPU and the FPGA be reverse engineered to provide a driver?

Edit: Ben, do you plan on playing around some more with these to find out if they can be hacked to run your own OS?

Reply


@winniejinping 2 days

Replying to @rcarmo 🎙

Also there are SFP ONU modules for GPON/EPON, I've been using one (with RTL9601C chipset) for a year and it works great, fiber cable directly to the router or switch, no more shitty ISP ONU & router.

Reply


About Us

site design / logo © 2022 Box Piper