Man in the Middle Attack
What is a Man in the Middle Attack?
The man in the middle attack is an eavesdropping method where the attacker positions themselves between a user and the application they are communicating with. In some cases, they may merely eavesdrop on communications, although they may opt instead to impersonate the application without the victim realizing they’re not communicating with the actual application.
In all cases, the end goal is the same: to steal personal information, whether it be passwords, financial information, or other sensitive material. Man in the middle (MitM) attacks are widespread -- some estimates believe a third of all attacks use MitM attacks to steal sensitive information.
The attacker must remain invisible to the victim for a MitM attack to be successful. While this may seem complicated, hackers have become adept at exploiting flaws and backdoors in networks and internet technologies, creating identical faked versions of the applications they target.
How a Man in the Middle Attack Works
There are two phases of a Man in the Middle attack: the interception phase, where the victim’s traffic redirects to somewhere where the attacker can view its contents, and the decryption phase, where hackers strip SSL or TLS traffic of its supposed protective layer of encryption.
In the interception phase, the attacker attempts to trick victims into sharing personal data by making themselves appear legitimate. Some techniques used in MitM attacks are:
- Wi-Fi spoofing: In this attack vector, the attacker creates free, legitimate-looking, public Wi-Fi hotspots. For example, an attacker at a coffee shop might use a hotspot name like “CoffeeShopPublicWifi.” These networks are unprotected, and the attacker would have full access to any data sent over this public network.
- DNS spoofing: An attacker gains access to a DNS server and alters the records to forward requests to the attacker’s website. These attacks are some of the most difficult but the most rewarding to the attacker because they can trap far more victims since DNS servers are the backbone of the internet.
- IP spoofing: This more advanced method involves altering packet headers for a particular IP address. When successful, requests to a legitimate URL or application get forwarded to the attacker’s faked website or application.
- ARP spoofing: Each device on a network is given a unique identifier, called a Media Access Control (MAC) address, to communicate. The Address Resolution Protocol (ARP) is used to find the MAC address of a given IP address. An attacker links to a legitimate IP address on the network through faked ARP messages.
Technologies like SSL and its successor TLS are meant to keep our sensitive data secure and encrypted. However, vulnerabilities do exist, which attackers have learned to exploit. The following types are the most common:
- HTTPS spoofing: The attacker sends the victim a fake certificate when a secure connection is first established. The phony certificate allows the attacker to view any data before it’s passed through to the application.
- SSL session hijacking: The attacker sends fake authentication keys to the application and the victim during the connection process. The attacker can now hide behind what appears to be a legitimate secure connection. Session hijacking is an example of how malicious attackers hack MFA.
Examples of Man in the Middle Attacks
Here are some examples of how the above methods present themselves in real-world attacks:
- An attacker sets up a website identical to the website or application, in this example, a bank. The attacker uses DNS spoofing to forward legitimate requests for the website to their faked version. While it doesn’t have to work, a victim entering their password will be captured by the attacker, giving them access to your bank account on the bank’s actual site.
- An attacker sits at a local public place and creates a public Wi-Fi hotspot that victims can log in to. Using a packet sniffer, the attacker can easily view any unencrypted traffic over the network and use any of the above decryption techniques to spy on encrypted traffic that the victim might send.
- An attacker on a public network discovers another user has failed to secure his device correctly. Using faked ARP messages, they can trick both the victim and the public network that they are the gateway, and the attacker is free to look at just about anything they want.
How to Protect Yourself from Man in the Middle Attacks
- Eliminate passwords: The ONLY way to stop malicious actors from stealing your passwords is by eliminating them. Learn more about passwordless authentication today and keep your most critical applications secure.
- Steer clear of unprotected hotspots: While free unsecured Wi-Fi is convenient to use, it also presents a security risk. If you must, use public hotspots only for casual use where no personal information is necessary.
- Ensure you connect to HTTPS: While HTTPS itself is prone to attack, it is far more secure than a standard HTTP connection. Additionally, avoid websites protected by HTTPS where you receive an alert of a certificate mismatch. While this error typically isn’t due to a hack and is often due to incorrect settings, it’s better to be safe than sorry.
- Protect your device from malware and activate a firewall: Installing and running antivirus software regularly and activating firewall protection on your computer (instructions: Mac OS X, Windows) will also protect you from attack. Many MitM attacks involve the installation of malware to work.
- Change the admin password on your router: Many modern routers are internet-connected. Change your admin password (and username if possible) to prevent attackers from gaining access to its settings. And if you don’t need the functionality, turn it off.
With Man in the Middle attacks so common, you must take steps to protect yourself from them and eliminate the threat of Man in the Middle attacks.