As you learn more about cyber attacks, you’ll sometimes hear about man-in-the-middle attacks. These attacks impact data as it travels between one computer to another computer. Or from one computer to a networking appliance, such as a wireless router. The computers could be PCs, mobile devices, IoT devices, servers, video game consoles, it doesn’t matter. Your computer thinks it’s sending data to an authorized entity.
A Man-in-the-Middle (MitM) attack occurs when a hacker secretly intercepts and possibly alters the communication between two entities. This type of attack can be used to steal sensitive information like login details or personal data, spy on the victim, or disrupt and manipulate the exchange of information. MitM attacks have been a concern since the early 1980s, with efforts continuously made to safeguard against them. For instance, when sending login information to an online banking site, there's a risk that these details could be intercepted without the sender or the bank realizing it. In essence, an MitM attack involves an unauthorized "man in the middle" positioned in the communication stream, covertly intercepting or tampering with the transmitted data.
The anonymous cyber attackers use the new connection to collect information, such as bank account information (in this scenario) or any private information of yours or your business. Therefore, this type of stealthy attack requires a system in place that can stop the man in the middle attacks from happening.
SSL/TLS Certificates and Their Prevalence on the Dark Web
All about Man In The Middle (MITM) attacks
All kinds of data is sent between computing devices, especially on the internet. The data-in-transit goes over the air as WiFi radio signals, down coaxial or fiber optic cable, or over Bluetooth. There are hundreds of TCP/IP ports which are the backbone of the vast majority of networks, including but not limited to the internet. Some ports are commonly used and well-known like ports 80 and 443 for the web, or port 25 for sending email. Others are pretty obscure like port 17 for “Quote of the Day” or 10823 for Farming Simulator 2011, a video game.
An MITM attack could affect any TCP/IP port. A MITM attack could be a malicious interception of any sort of network communications, including internal networks. But the majority of man-in-the-middle attacks take place on the internet.
Why are MitM hacks so dangerous?
The risk of Man-in-the-Middle (MitM) attacks is heightened with the growing trend of business activities on open Wi-Fi networks. In sectors like banking, an attacker could intercept a transaction, altering the recipient's account details or the amount transferred. Additionally, these attacks are a means for cybercriminals to gather personal information or login credentials. Attackers might also use MitM attacks to distribute malware through seemingly legitimate updates. Mobile devices, which often don't use encrypted connections, are particularly vulnerable to such attacks.
The rapid expansion of Internet of Things (IoT) devices introduces additional risks for Man-in-the-Middle (MitM) attacks. Many IoT devices lack robust security measures, which could lead to an increase in such attacks. These vulnerabilities might result in the transmission of false data to organizations or incorrect operational commands to the devices. Furthermore, IoT devices are often more susceptible to attacks because they either do not use Transport Layer Security (TLS) or rely on outdated versions, which lack the security strength of the latest updates.
Types of Man in the Middle (MITM) attacks
WiFi eavesdropping is a very common type of MITM attack. Here’s one WiFi attack scenario: An attacker sets up a public, unencrypted WiFi access point. You’re sitting at the train station thinking, “I’d love to watch something on YouTube to kill time, but my cell connection here is terrible. Let’s look for some WiFi.” You find an SSID labeled “Toronto Transit Free WiFi.” Wow, how convenient! You connect to it. (Someone who sets up a WiFi broadcast can come up with pretty much any SSID they want.) So, you launch the YouTube app on your phone and all of a sudden you’ve sent your Google credentials to a cyber attacker. Now they can really mess with your digital life.
Session hijacking is another common type of MITM attack. Your web browser frequently uses cookies, which are small text files. Web cookies are why I can be conveniently automatically logged into the various web services I use from my home office PC. They cut down on how often I have to enter my username and password in order to log into websites and web services. But that sort of convenience comes with a cybersecurity risk. Cyber attackers can acquire my authentication cookie in multiple ways.
For example, they could inject malicious code into someone else’s web server. My web browser thinks it’s the legitimate web service asking for my cookie when it’s actually the attacker. That’s referred to as XSS (cross site scripting.) Malware on my PC can also grab my cookies from my hard drive and send them to the attacker. Or the attacker could use session side jacking. In this scenario, the authentication data I send to a web service could be encrypted but then the rest of the communications could be in plaintext. The attacker could use a packet sniffer to acquire my cookies being sent over plaintext or grab data from my packet headers to be used to intercept what I’m doing.
Email hijacking is another kind of MITM attack. Not all email communications are encrypted. But even encrypted email can be intercepted if an attacker acquires the cryptographic keys somehow. Email could be hijacked by malware on an email server. Email can also be hijacked with a packet sniffer, or a phishing email with a hyperlink to a malicious web application that can spy on your email client.
An attacker could be reading the emails I send and receive and just lurk quietly. Then they find an email I sent to one of the companies I work for that has an email attachment which contains my bank account information. Or they see me do an email-based money transfer. An attacker could replace the banking information of my intended money recipient with information about their own bank account. All of a sudden, I’ve just sent $1000 to a cyber attacker.
MITM attacks involve any sort of network communication interception by cyber attackers and they can be done in many, many different ways. The table below provides a short description of various MitM hack methods.
| Type | Description |
IP Spoofing | The attacker tricks a user into believing that the interaction is with a regular website where the personal information of the user is easily accessed by the attacker. |
DNS spoofing | Spoofed DNS cache forces a user to a fake website rather than the real one the user intends to visit. |
TLS stripping | An attacker can fool your browser into believing it is visiting a trusted website when it is not. |
TLS hijacking | The attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer. |
Email hijacking | Mostly used with banks and other financial institutions where the criminals target corporate mail accounts. Once they gain access, attackers can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers. This convinces the customer to follow the attacker’s instructions rather than the bank’s. |
WIFI eavesdropping | Cybercriminals set up fraud WIFI connections with very legitimate sounding names. Once a user connects to the fraudster’s WIFI, the attacker will be able to monitor the user’s online activity and be able to intercept login credentials, payment card information, and more. |
Stolen browser cookies | A cybercriminal can hijack browser cookies. Since cookies store information from your browsing session, attackers can gain access to your passwords, address, and other sensitive information. |
How to prevent Man in the Middle (MITM) attacks
There are lots of different things you can do to prevent becoming a victim of an MITM attack. Although MitM attacks are not as common as ransomware or phishing attacks, they do present a credible threat for all organizations. The sophistication required to launch such an attack deters cyber attackers from using this vector when they have the alternative of carrying out the same objectives in simpler ways, such as installing malware or exploiting compromised credentials.
The use of encryption protocols such as TLS is the best way to help protect against MitM attacks. The latest version of TLS 1.3 has become the official standard since August 2018. The increased use of HTTPS and enhanced security alerts from browsers have lessened the likelihood of certain Man-in-the-Middle (MitM) attacks. In 2017, the Electronic Frontier Foundation (EFF) noted that more than half of all internet traffic was encrypted. Additionally, Google has reported that over 90 percent of online traffic is encrypted in some countries. Major web browsers, including Chrome and Firefox, have also started alerting users when there's a potential risk of MitM attacks, further bolstering online security.
Here are recommended strategies for businesses and individuals to safeguard against Man-in-the-Middle (MitM) attacks:
- Implement multi-factor authentication. This extra security step can significantly deter attackers.
- Enhance control over your network and maintain visibility, applying the least-privilege principle for network segmentation.
- Effectively manage and secure your TLS certificates and keys to prevent the misuse of compromised or outdated certificates.
- Be cautious of phishing emails that prompt for password updates or other credential changes. Always manually enter the website URL instead of clicking links in emails.
- Avoid direct connections to public Wi-Fi networks. Use a VPN to encrypt your internet activities on public hotspots, safeguarding sensitive data like passwords and credit card details.
- Ensure your home Wi-Fi network is secure. Update all devices and your router with strong, unique passwords, replacing any default usernames and passwords.
The most important thing for enterprises is to tightly control keys and certificates so that attackers cannot use them to hijack encrypted tunnels.
Why focus on threat intelligence?
In today's fast-paced, interconnected world, it's crucial to be aware of the various threats that could endanger the privacy and accuracy of both personal and business-sensitive information. Staying updated on these risks and ensuring that your devices are equipped with adequate security measures is essential. Learn more about machine identity security by contacting the Venafi experts.
(This post has been updated. It was originally published on July 19, 2019.)
