What are MITM attacks and how to prevent them?

On the internet, we believe we know who we are communicating with. And, for the most part we are pretty sure when we send a message to a colleague, that it is indeed our colleague who is answering our request. But, can we be sure? Is there an attacker inserting themselves in between our communication and eavesdropping on our conversation?

Only a decade ago, it was not uncommon for attackers to sit on the transmission layer of a conversation and intercept it in order to manipulate the discussion. These became known as Man-In-the-Middle (MITM) attacks. Today, while MITM attacks are less common, they still play an active part in infiltrating our communications. Today, attackers use MITM attacks to steal login credentials or personal information, spy on victims, sabotage communications, or corrupt data.

Recognizing the role which MITM attacks play in wreaking havoc on our communications, individuals need to educate themselves on how these attacks work and how they can protect themselves. This blog will lay the foundation to enable readers to reach this goal.

MITM attack tutorial. How do they work

In their most basic form, MITM occur when a hacker intercepts a communication between two people or systems. The attacker essentially intercepts the internet traffic before it reaches its intended destination.
The image gives an overview for how this attack works.

man in the middle

There are many different goals that an attacker leading a MITM attack might have. However, some of the traditional goals of these attacks are:

  • To get personal information for identity theft
  • To get login credentials, for example, to gain access to an online bank account
  • To change the target account number to their own when the user is making a bank transfer
  • To get a credit card number when the user is paying at an online shop
  • To read user emails.

One easy way for an attack to achieve these goals is by eavesdropping on a user who logs onto an unencrypted wi-fi connection. These networks are not secure and offer no guarantee of service or security. Passing any type of information on an unsecure network is like shouting the information at the top of your lungs. Anyone can listen in.

In reality though, MITM attacks typically take place in two parts. The first part is intercepting the traffic and the second part is decrypting the traffic.

How MITM attacks intercept traffic

One technique for intercepting traffic involves an attacker modifying the IP packets to impersonate another computer system. This is called IP spoofing. IP spoofing is analogous to an attacker sending a package to someone with the wrong return address listed.

Essentially, the attacker sits between the user and the real website and then alters the source and destination packets of the IP. The legitimate user and the website they are attempting to reach both think they are communicating with one another. But, in reality, the hacker is intercepting and talking to both of them.


Another technique for intercepting traffic is DNS spoofing. In DNS Spoofing, an attacker alters the website’s address record in a DNS server. As a result, users attempting to access the legitimate site are sent to the attacker’s site.

DNS Spoofing

A final technique for MITM attacks to intercept traffic is through ARP spoofing. While these attacks are very infrequent, they do happen. In an ARP attack, an attacker links their computer’s MAC address with the IP address of a legitimate user on a local area network. As a result, data sent by the “real” user is ciphoned off to the attacker.

MITM decrypting techniques

While there are multiple techniques that can be used to decrypt the data stolen in MITM attacks, there are really only two that are commonly used for decryption: SSL stripping and SSL hijacking.

In SSL stripping, a hacker downgrades the communications between the user and the website into an unencrypted format so that the attacker can read it. How does this happen?

SSL Hijacking

These attacks circumvent the security enforced by SSL certificates. When your web browser comes into contact with a web server, the first contact is made using ordinary http. Then, the user is redirected to a secure SSL (https) protocol. Hackers take advantage of this small window using SSL strip or SSL downgrade attacks.

SSL Hijacking is a second way to decrypt these communications. In these attacks, a hacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session. In this scenario, the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.

For example, Alice might be writing Bob with information on which bank account to deposit a check in. Instead, Chris who is between Alice and Bob intercepts the conversation and put his bank account number in the message instead.

Man in the middle example

Two other examples of decrypting communications that are not frequently used are the use of sniffers and cell tower impersonations.

Attackers that rely on a sniffer involve a malicious actor using readily available software to intercept data being sent from, or to, your device. A packet sniffer inspects those packets of data. Or rather, it can if that data is not encrypted. Packet sniffers are readily available on the internet.

Cell tower impersonations are rather obscure but have been known to happen.These attacks rely on fake cell phone towers – known as stingrays – to gather information. Stingray devices are also commercially available on the dark web.

What are examples of MITM attacks?

While the number of MITM attacks has decreased in recent years, they still do occur.
In 2018, the Russian hacking group APT 29 (also known as Fancy Bear) attempted to hack the Organization for the Prohibition of Chemical Weapons n Holland. Dutch police found four Russian agents in a car parked outside of the organization. The Russian agents were attempting to hack into the OPCW’s wireless network and set up a MITM access point to steal employee credentials.
In April 2018, US and UK cybersecurity centers issued warnings that “Russian state -sponsored cyber actors are actively targeting home and enterprise routers”. The Russian state-sponsored attacks were focused on conducting MITM attacks to support espionage, extract intellectual property, enable access to corporate networks and lay the foundation for future offensive operations.
Today, MITM attacks are most frequently successful when users log onto a compromised Wi-Fi router. These routers represent a weak point in security because they’re frequently left unpatched, have legacy unencrypted protocols, or weak default settings that enable easy installation.

Preventing MITM attacks – TLS is not enough

TLS is one of the most common methods used for securing the data transport layer. It protects data in transit from one endpoint to another. TLS would prevent attackers from reading data through the use of sniffer tools. Unfortunately, TLS doesn’t provide a protocol for protecting data against many of today’s updated form of attacks.

To secure communications between individuals and avoid MITM, users need to ensure that there is no way for attackers to tamper with their data. Users can ensure the authenticity of their exchanges by using tools that confirm their identity and secure their data. That way an attacker couldn’t pretend to be someone they aren’t and data can be protected.

The best way to provide this security is through the use of end-to-end encryption. End-to-end encryption protects users’ identity by creating a private key which is stored on their device. This key is established at the time of account creation and, unlike a password, cannot be guessed or spoofed.

End to end encryption also secures data so that it is only ever read by the sender and recipient and no one else. End-to-end encryption ensures data is only decrypted on the endpoints. Never on the server. In this manner, hackers trying to hack data on the server will only get gibberish because the information has not been shared with them.

How PreVeil stops MITM

PreVeil provides additional security to ensure that attackers cannot read and profit from attacking your data.

With PreVeil, data is always encrypted end to end. This means it is encrypted on the user’s device and only ever decrypted on the recipient’s device. Any attacker along the way who attacks the data won’t be able to decrypt it because they do not have the decryption keys.

Moreover, since PV doesn’t use passwords, there is no way for an attacker to access the encrypted payload with a password. Instead of passwords, PreVeil uses a private key stored on the user’s device to prove a user’s identity.


Man In The Middle attacks can be prevented with good network hygiene, such as firewalls, security protocols and strong data encryption. It is important to supplement these efforts by being mindful of your network habits and use proven end-to-end encryption to further secure your information.