A man-in-the-middle attack (MITM) occurs when a person is between two computers (such as a laptop and a remote server) and intercepts traffic. This person can spy on or even intercept communications between the two machines and steal information.
Attacks by the man in the middle constitute a serious security problem. Here’s what you need to know and how to protect yourself.
Two’s Company, Three’s a Crowd
The “beauty” (for lack of a better term) of MITM attacks is that the attacker does not necessarily need to have access to your computer, either physically or remotely. He or she can just sit on the same network as you and quietly whistle at data. An MITM can even create its own network and encourage you to use it.
The most obvious way for someone to do this is to sit on a public Wi-Fi network, like those at airports or cafes. An attacker can connect and use a free tool like Wireshark, capture all packets sent between a network. He or she could then analyze and identify potentially useful information.
This approach is not as successful as it once was, thanks to the prevalence of HTTPS, which provides encrypted connections to websites and services. An attacker cannot decode encrypted data sent between two computers communicating via an encrypted HTTPS connection.
However, HTTPS alone is not a quick fix. There are workarounds that an attacker can use to cancel it.
By using a MITM, an attacker can try to deceive a computer so that it “downgrades” its connection from encrypted to unencrypted. He can then inspect the traffic between the two computers.
A “delete SSL” attack can also occur, in which the person is in between an encrypted connection. It then captures and potentially modifies the traffic, then forwards it to an unsuspecting person.
Network-based attacks and rogue wireless routers
MITM attacks also occur at the network level. One approach is called ARP Cache Poisoning, in which an attacker attempts to associate his MAC (hardware) address with someone else’s IP address. If successful, all data intended for the victim is transmitted to the attacker.
DNS spoofing is a similar type of attack. DNS is the Internet “telephone directory”. It associates human-readable domain names, such as google.com, with digital IP addresses. Using this technique, an attacker can transmit legitimate requests to a fake site that he controls, and then capture data or deploy malware.
Another approach is to create an unauthorized access point or to position a computer between the end user and the remote router or server.
Overwhelmingly, people trust too much when it comes to connecting to public Wi-Fi hotspots. They see the words “free Wi-Fi” and don’t stop to think if an infamous pirate might be behind. This has been proven repeatedly with a comical effect when people do not read the terms and conditions on certain hot spots. For example, some require that people dirty and dirty festival latrine or abandon their firstborn.
Creating an unauthorized access point is easier than it seems. There are even physical hardware products that make it incredibly simple. However, these are intended for legitimate information security professionals who perform life penetration tests.
Nor should we forget that routers are computers that generally have deplorable security. The same default passwords tend to be used and reused on entire lines, and they also have uneven access to updates. Another possible route of attack is a router injected with malicious code that allows a third party to perform a MITM attack remotely.
Man-in-the-Middle malware and attacks
As we mentioned earlier, it is entirely possible for an opponent to perform a MITM attack without being in the same room, or even on the same continent. One way to do this is to use malware.
A man-in-the-browser (MITB) attack occurs when a web browser is infected with malicious security. This is sometimes done via a bogus extension, which gives the attacker almost unlimited access.
For example, someone could manipulate a web page to show something different from the authentic site. He or she could also hijack active sessions on websites such as bank pages or social networks and spread spam or steal funds.
An example of this was the SpyEye Trojan, which was used as keylogger to steal credentials for websites. It could also fill out forms with new fields, allowing the attacker to capture even more personal information.
How to protect yourself
Fortunately, there are ways to protect yourself from these attacks. As with any online security, this is a constant vigilance. Try not to use public Wi-Fi hotspots. Try to use only a network that you control yourself, such as a mobile hot spot or Mi-Fi.
Otherwise, a VPN will encrypt all traffic between your computer and the outside world, protecting you from MITM attacks. Of course, here your security is only as good as that of the VPN provider you are using, so choose carefully. Sometimes it’s worth paying a little more for a service you can trust. If your employer offers you a VPN when you travel, you should definitely use it.
To protect yourself from malware-based MITM attacks (such as the man-in-the-browser variety) good safety hygiene. Do not install apps or browser extensions fragmentary places. Log out of website sessions when you are done with what you are doing and install a solid antivirus program.