Hyunjun An
Gigabit Passive Optical Networks (GPON), an ITU-T standardized technology adopted in FTTH networks, supports downstream payload encryption to protect subscribers’ traffic. Unfortunately, encryption does not cover all access layer metadata. This poster presents a preliminary analysis demonstrating that the Payload Length Indicator (PLI), which remains in plaintext in GEM headers, can be exploited as a side channel to infer streaming activity. Using a GPON downstream simulator, we demonstrate that PLI traces are highly consistent across repeated runs of the same Youtube video and suggest that a passive attacker on the same optical splitter as the victim could potentially infer a victim’s streaming activity (e.g., Youtube video identification).
As Fiber Internet is widely deployed, it is important to ensure user traffic confidentlity. However What happen if an adversary can sniff neightbor's traffic without any access to neightbor's wifi, device and what adversary need to do is just to receive optical signals in their house?
All datasets used is publicly available on our git
1. How did you come up with GPON Side-Channel?
I always have a interest in GPON Networks; So I have a experience to see Real GPON Infrastructure.
I read a paper about side channel attack in LTE.
Inpired by that paper, I have a question; If this type of attack can be apllied to GPON Networks, What will happen? The answer is: You can sniff your neighbor's traffic to see what they are watching without any access to your neighbor's device(e.g. injecting backdoor to neighbor's wifi or device). All you need is just same ISP's optic line as your neightbor and fiber cable and downlink-only FPGA. You don't need to move out home. Furthermore there's no way for ISP, detective to detect downlink-only FPGA. (Strictly speaking, ISP can detect fiber signal loss if the adversary use splitter to use his ONU stimulaneously but they can not find out whether it is stem from FPGA spilitter or other cause)
2. What is the original purporse of PLI?
PLI helps ONT/ONU to delineate GEM frames within GTC payload. The length helps ONT/ONU to estimate where end of a GEM Frame is.
3. What challenges do you expect when experimenting on Real-World GPON Testbed?
The big challenge I expect is DBA Traffic Scheduling. So we have to do experiments where many ont's registered and there are continuos traffic flows of other ont out of experiment
2026. 04. 25.
Correction on Reference Section
Before:
[4] ITU-T. 2020. Gigabit-capable passive optical networks (GPON): Transmission convergence layer specification Amendment 1. https://www.itu.int/rec/dologin_ pub.asp?lang=e&id=T-REC-G.984.3-201401-I!!PDF-E&type=items
After:
[4] ITU-T. 2020. Gigabit-capable passive optical networks (GPON): Transmission convergence layer specification Amendment 1. https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-G.984.3-202003-I!Amd1!PDF-E&type=items
I mistakely put old URL. I actually cited ITU-T G.984.3 Amendment (2020) but I put URL of 2014 version. (Wrong URL)
Please contact by my Email: anhyunjun@acm.org
Feel free to contact me :)
We welcome any critical review, discussion, unique viewpoint
[1] Sangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae Kim. 2022. Watching the Watchers: Practical Video Identification Attack in LTE Networks. In 31st USENIX Security Symposium (USENIX Security ’22). USENIX Association, 1307–1324. https://www.usenix.org/conference/usenixsecurity22/presentation/bae
[2] EXXN Engineering. 2026. Introduction of GPONDOCTOR. Retrieved March 27, 2026 from https://www.exxn.es/en/gpondoctor
[3] Hyunjun An. 2025. Research Archive for GPON PLI side-channel dataset and simulator. Retrieved Mar 27, 2026 from https://gpon.anhyunjun.com
[4] ITU-T. 2020. Gigabit-capable passive optical networks (GPON): Transmission convergence layer specification Amendment 1. https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-G.984.3-202003-I!Amd1!PDF-E&type=items
[5] MT2 Company. 2026. Introduction of PON Analyzer. Retrieved March 27, 2026 from https://www.mt2.fr/pon-analyzer-niva/
[6] Xiyuan Zhang, Gang Xiong, Zhen Li, Chen Yang, Xinjie Lin, Gaopeng Gou, and Binxing Fang. 2024. Traffic spills the beans: A robust video identification attack against YouTube. Computers & Security 137 (2024), 103623. doi:10.1016/j.cose.2023. 103623
[7] Reddit. 2024. AT&T Fiber Buildout Question. Retrieved April 29, 2026 from https://www.reddit.com/r/ATTFiber/comments/1ew0hun/att_fiber_buildout_question/
[8] CNET. 2014. Google’s fiber effect: Fuel for a broadband explosion. Retrieved April 29, 2026 from https://www.cnet.com/tech/services-and-software/googles-fiber-effect-fuel-for-a-broadband-explosion/