As you learn more about cyber attacks, you’ll sometimes hear about man-in-the-middle attacks. These attacks impact data as it travels between one computer to another computer. Or from one computer to a networking appliance, such as a wireless router. The computers could be PCs, mobile devices, IoT devices, servers, video game consoles, it doesn’t matter. Your computer thinks it’s sending data to an authorized entity.
A Man-in-the-Middle (MitM) attack is when an attacker intercepts communication between two parties either to secretly eavesdrop or modify traffic traveling between them. Attackers might use MitM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications and corrupt data.
MitM attacks are one of the oldest forms of cyber-attack, and computer scientists have been looking at ways to prevent bad actors tampering or eavesdropping on communications since the early 1980s. For example, when my PC sends authentication details for my online banking, I hope it’s only going to my bank’s website. But these communications can be intercepted, and I probably won’t even know about it. My recipient, or my bank, could even be receiving data from my computer as intended! But unbeknownst to me or my bank, there’s someone listening in on us. That, my friends, is what an MITM (man-in-the-middle) attack is. It’s exactly what it sounds like, there’s a “man” in the middle, and he’s a cyber attacker.
The anonymous cyber attackers use the new connection to collect information, such as bank account information (in this scenario) or any private information of yours or your business. Therefore, this type of stealthy attack requires a system in place that can stop the man in the middle attacks from happening.
All about Man In The Middle (MITM) attacks
All kinds of data is sent between computing devices, especially on the internet. The data-in-transit goes over the air as WiFi radio signals, down coaxial or fiber optic cable, or over Bluetooth. There are hundreds of TCP/IP ports which are the backbone of the vast majority of networks, including but not limited to the internet. Some ports are commonly used and well-known like ports 80 and 443 for the web, or port 25 for sending email. Others are pretty obscure like port 17 for “Quote of the Day” or 10823 for Farming Simulator 2011, a video game.
An MITM attack could affect any TCP/IP port. A MITM attack could be a malicious interception of any sort of network communications, including internal networks. But the majority of man-in-the-middle attacks take place on the internet.
Why are MitM hacks so dangerous?
With increased business mobility and use of open Wi-Fi, the consequences of an MitM attack can be quite serious. For example, in the banking sector an attacker could see that a user is making a transfer and change the destination account number or the amount being sent. In addition, threat actors could use Man-in-the-Middle attacks to harvest personal information or login credentials. Further, attackers could force compromised updates that install malware. Given that they often fail to encrypt traffic, mobile devices are particularly susceptible to this scenario.
The proliferation of IoT devices poses yet another challenge with regards to the execution of MitM hacks. The lack of security in many devices means the growth in IoT could present an increase in MitM attacks and either send false information back to the organization or erroneous command and control instructions to the devices themselves.
IoT devices tend to be more vulnerable to attack because by design they do not implement TLS or rely on older versions of it that are not as robust as the latest version.
Types of Man in the Middle (MITM) attacks
WiFi eavesdropping is a very common type of MITM attack. Here’s one WiFi attack scenario: An attacker sets up a public, unencrypted WiFi access point. You’re sitting at the train station thinking, “I’d love to watch something on YouTube to kill time, but my cell connection here is terrible. Let’s look for some WiFi.” You find an SSID labeled “Toronto Transit Free WiFi.” Wow, how convenient! You connect to it. (Someone who sets up a WiFi broadcast can come up with pretty much any SSID they want.) So, you launch the YouTube app on your phone and all of a sudden you’ve sent your Google credentials to a cyber attacker. Now they can really mess with your digital life.
Session hijacking is another common type of MITM attack. Your web browser frequently uses cookies, which are small text files. Web cookies are why I can be conveniently automatically logged into the various web services I use from my home office PC. They cut down on how often I have to enter my username and password in order to log into websites and web services. But that sort of convenience comes with a cybersecurity risk. Cyber attackers can acquire my authentication cookie in multiple ways.
For example, they could inject malicious code into someone else’s web server. My web browser thinks it’s the legitimate web service asking for my cookie when it’s actually the attacker. That’s referred to as XSS (cross site scripting.) Malware on my PC can also grab my cookies from my hard drive and send them to the attacker. Or the attacker could use session side jacking. In this scenario, the authentication data I send to a web service could be encrypted but then the rest of the communications could be in plaintext. The attacker could use a packet sniffer to acquire my cookies being sent over plaintext or grab data from my packet headers to be used to intercept what I’m doing.
Email hijacking is another kind of MITM attack. Not all email communications are encrypted. But even encrypted email can be intercepted if an attacker acquires the cryptographic keys somehow. Email could be hijacked by malware on an email server. Email can also be hijacked with a packet sniffer, or a phishing email with a hyperlink to a malicious web application that can spy on your email client.
An attacker could be reading the emails I send and receive and just lurk quietly. Then they find an email I sent to one of the companies I work for that has an email attachment which contains my bank account information. Or they see me do an email-based money transfer. An attacker could replace the banking information of my intended money recipient with information about their own bank account. All of a sudden, I’ve just sent $1000 to a cyber attacker.
MITM attacks involve any sort of network communication interception by cyber attackers and they can be done in many, many different ways. The table below provides a short description of various MitM hack methods.
How to prevent Man in the Middle (MITM) attacks
There are lots of different things you can do to prevent becoming a victim of an MITM attack. Although MitM attacks are not as common as ransomware or phishing attacks, they do present a credible threat for all organizations. The sophistication required to launch such an attack deters cyber attackers from using this vector when they have the alternative of carrying out the same objectives in simpler ways, such as installing malware or exploiting compromised credentials.
The use of encryption protocols such as TLS is the best way to help protect against MitM attacks. The latest version of TLS 1.3 has become the official standard since August 2018. Greater adoption of HTTPS and more security warnings by the browsers have reduced the potential threat of some MitM attacks. In 2017 the Electronic Frontier Foundation (EFF) reported that over half of all internet traffic was encrypted and Google indicates that over 90 percent of traffic in some countries is now encrypted. Major browsers such as Chrome and Firefox also warn users if they are at risk from MitM attacks.
Below is a list of best practices to help businesses and individuals prevent MitM attacks:
- Use multi-factor authentication wherever possible. Although not a panacea, adding an extra layer of difficulty will deter criminals from targeting your assets
- Maximize network control and visibility and implement network segmentation based on the least-privilege principle
- Manage and protect your TLS certificates and keys effectively to avoid exploitation of compromised or expired certificates
- Be wary of potential phishing emails from attackers asking you to update your password or any other login credentials. Instead of clicking on the link provided in the email, manually type the website address into your browser
- Never connect to public Wi-Fi routers directly, if possible. A VPN encrypts your internet connection on public hotspots to protect the private data you send and receive while using public Wi-Fi, including data like passwords or credit card information
- Be sure that your home Wi-Fi network is secure. Update all default usernames and passwords on your home router and all connected devices to strong, unique passwords.
The most important thing for enterprises is to tightly control keys and certificates so that attackers cannot use them to hijack encrypted tunnels.
Why focus on threat intelligence?
In our rapidly evolving connected world, it is important to understand the types of threats that could compromise the confidentiality and integrity of personal and business sensitive information. Stay informed and make sure your devices are fortified with proper security. Learn more about machine identity management by contacting the Venafi experts.
What to learn more about securely managing your network? Download our TLS Machine Identity Management eBook.
(This post has been updated. It was originally published on July 19, 2019.)
Related posts
