A man-in-the-middle (MITM) attack occurs when someone sits between two computers (such as a laptop and remote server) and intercepts traffic. This person can eavesdrop on, or even intercept, communications between the two machines and steal information.
Man-in-the-middle attacks are a serious security concern. Here’s what you need to know, and how to protect yourself.
Two’s Company, Three’s a Crowd
The “beauty” (for lack of a better word) of MITM attacks is the attacker doesn’t necessarily have to have access to your computer, either physically or remotely. He or she can just sit on the same network as you, and quietly slurp data. A MITM can even create his own network and trick you into using it.
The most obvious way someone can do this is by sitting on an unencrypted, public Wi-Fi network, like those at airports or cafes. An attacker can log on and, using a free tool like Wireshark, capture all packets sent between a network. He or she could then analyze and identify potentially useful information.
This approach doesn’t bear as much fruit as it once did, thanks to the prevalence of HTTPS, which provides encrypted connections to websites and services. An attacker can’t decode the encrypted data sent between two computers communicating over an encrypted HTTPS connection.
However, HTTPS alone isn’t a silver bullet. There are work-arounds an attacker can use to nullify it.
Employing a MITM, an attacker can try to trick a computer into “downgrading” its connection from encrypted to unencrypted. He or she can then inspect the traffic between the two computers.
An “SSL stripping” attack might also occur, in which the person sits between an encrypted connection. He or she then captures and potentially modifies traffic, and then forwards it on to an unsuspecting person.
Network-Based Attacks and Rogue Wireless Routers
MITM attacks also happen at the network level. One approach is called ARP Cache Poisoning, in which an attacker tries to associate his or her MAC (hardware) address with someone else’s IP address. If successful, all data intended for the victim is forwarded to the attacker.
DNS spoofing is a similar type of attack. DNS is the “phone book” of the internet. It associates human-readable domain names, like google.com, with numeric IP addresses. By using this technique, an attacker can forward legitimate queries to a bogus site he or she controls, and then capture data or deploy malware.
Another approach is to create a rogue access point or position a computer between the end-user and router or remote server.
Overwhelmingly, people are far too trusting when it comes to connecting to public Wi-Fi hot spots. They see the words “free Wi-Fi” and don’t stop to think whether a nefarious hacker could be behind it. This has been proven repeatedly with comic effect when people fail to read the terms and conditions on some hot spots. For example, some require people to clean filthy festival latrines or give up their firstborn child.
Creating a rogue access point is easier than it sounds. There are even physical hardware products that make this incredibly simple. However, these are intended for legitimate information security professionals who perform penetration tests for a living.
Also, let’s not forget that routers are computers that tend to have woeful security. The same default passwords tend to be used and reused across entire lines, and they also have spotty access to updates. Another possible avenue of attack is a router injected with malicious code that allows a third-party to perform a MITM attack from afar.
Malware and Man-in-the-Middle Attacks
As we mentioned previously, it’s entirely possible for an adversary to perform a MITM attack without being in the same room, or even on the same continent. One way to do this is with malicious software.
A man-in-the-browser attack (MITB) occurs when a web browser is infected with malicious security. This is sometimes done via a phony extension, which gives the attacker almost unfettered access.
For example, someone could manipulate a web page to show something different than the genuine site. He or she could also hijack active sessions on websites like banking or social media pages and spread spam or steal funds.
One example of this was the SpyEye Trojan, which was used as a keylogger to steal credentials for websites. It could also populate forms with new fields, allowing the attacker to capture even more personal information.
How to Protect Yourself
Fortunately, there are ways you can protect yourself from these attacks. As with all online security, it comes down to constant vigilance. Try not to use public Wi-Fi hot spots. Try to only use a network you control yourself, like a mobile hot spot or Mi-Fi.
Failing that, a VPN will encrypt all traffic between your computer and the outside world, protecting you from MITM attacks. Of course, here, your security is only as good as the VPN provider you use, so choose carefully. Sometimes, it’s worth paying a bit extra for a service you can trust. If your employer offers you a VPN when you travel, you should definitely use it.
To protect yourself from malware-based MITM attacks (like the man-in-the-browser variety) practice good security hygiene. Don’t install applications or browser extensions from sketchy places. Log out of website sessions when you’re finished with what you’re doing, and install a solid antivirus program.