What are Man-in-the-Middle (MITM) Attacks?

On the internet, we believe we know who we are communicating with. And, for the most part, we are pretty sure when we send a message to a colleague that our colleague is answering the request. But, can we be sure? Could an attacker insert themselves in between our communication and eavesdrop on our conversation?
 
Only a decade ago, it was not uncommon for attackers to sit on the transmission layer of a conversation and intercept it in order to manipulate the discussion. These became known as Man-In-the-Middle (MITM) attacks. Today, while MITM attacks are less common, they still play an active part in infiltrating our communications. Today, attackers use MITM attacks to steal login credentials or personal information, spy on victims, sabotage communications, or corrupt data.
 
In recognizing the role which MITM attacks play in wreaking havoc on our communications, individuals need to educate themselves on how these attacks work and how they can protect themselves. This blog will lay the foundation to enable readers to reach this goal.
 

MITM overview

 

In their most basic form, a MITM attack occurs when a hacker intercepts a communication between two people or systems. The attacker essentially intercepts the internet traffic before it reaches its intended destination.

There are many different goals that an attacker leading a MITM attack might have. However, some of the traditional goals of these attacks are:

  • To get personal information for identity theft
  • To get login credentials, for example, to gain access to an online bank account
  • To change the target account number to their own when the user is making a bank transfer
  • To get a credit card number when the user is paying at an online shop
  • To read user emails.

 
One easy way for an attack to achieve these goals is by eavesdropping on a user who logs onto an unencrypted wi-fi connection. These networks are not secure and offer no guarantee of service or security. Passing any type of information on an unsecure network is like shouting the information at the top of your lungs. Anyone can listen in.

While this is the typical way in which MITM attacks are conducted today, it is definitely not the only way.

 

How MITM attacks intercept traffic

 
One technique for intercepting traffic involves an attacker modifying the IP packets to impersonate another computer system. This is called IP spoofing. IP spoofing is analogous to an attacker sending a package to someone with the wrong return address listed.
 
Essentially, the attacker sits between the user and the real website and then alters the source and destination packets of the IP. The legitimate user and the website they are attempting to reach both think they are communicating with one another. But, in reality, the hacker is intercepting and talking to both of them.
 

 

Another techniques for intercepting traffic is DNS spoofing. In DNS Spoofing, an attacker alters the website’s address record in a DNS server. As a result, users attempting to access the legitimate site are sent to the attacker’s site.
 

 
A final technique for MITM attacks to intercept traffic is through ARP spoofing. While these attacks are very infrequent, they do happen. In an ARP attack, an attacker links their computer’s MAC address with the IP address of a legitimate user on a local area network. As a result, data sent by the “real” user is siphoned off to the attacker.
 

MITM decrypting techniques

 
While there are multiple techniques that can be used to decrypt the data stolen in MITM attacks, there are really only two that are commonly used: SSL stripping and SSL hijacking.
 
In SSL stripping, a hacker downgrades the communications between the user and the website into an unencrypted format so that the attacker can read it. How does this happen?
 

 
These attacks circumvent the security enforced by SSL certificates. When your web browser comes into contact with a web server, the first contact is made using ordinary http. Then, the user is redirected to a secure SSL (https) protocol. Hackers take advantage of this small window using SSL strip or SSL downgrade attacks.
 
SSL Hijacking is a second way to decrypt these communications. In these attacks, a hacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session. In this scenario, the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.
 
For example, Alice might be writing Bob with information on which bank account to deposit a check in. Instead, Chris who is between Alice and Bob intercepts the conversation and put his bank account number in the message instead.

 

 
For the moment, there is no known way to prevent this sort of key exchange from occurring if an attacker has already compromised the corporate network. However, corporations should take precautions such as setting up strong firewalls to attackers from gaining access to the network and instigating MitM attacks.
 
Two other examples of decrypting communications that are not frequently used are the use of sniffers and cell tower impersonations.
 
Attackers that rely on a sniffer involve a malicious actor using readily available software to intercept data being sent from, or to, your device. A packet sniffer inspects those packets of data. Or rather, it can if that data is not encrypted. Packet sniffers are readily available on the internet.
 
Cell tower impersonations are rather obscure but have been known to happen. These attacks rely on fake cell phone towers – known as stingrays – to gather information. Stingray devices are also commercially available on the dark web.
 

What are examples of MITM attacks?

 
While the number of MITM attacks has decreased in recent years, they still do occur.
 
In 2018, the Russian hacking group APT 29 (also known as Fancy Bear) attempted to hack the Organization for the Prohibition of Chemical Weapons in Holland. Dutch police found four Russian agents in a car parked outside of the organization. The Russian agents were attempting to hack into the OPCW’s wireless network and set up a MITM access point to steal employee credentials.
 
In April 2018, US and UK cybersecurity centers issued warnings that “Russian state -sponsored cyber actors are actively targeting home and enterprise routers”. The Russian state-sponsored attacks were focused on conducting MITM attacks to support espionage, extract intellectual property, enable access to corporate networks and lay the foundation for future offensive operations.
 
Today, MITM attacks are most frequently successful when users log onto a compromised Wi-Fi router. These routers represent a weak point in security because they’re frequently left unpatched, have legacy unencrypted protocols, or weak default settings that enable easy installation.
 

Preventing MITM attacks

 
Today’s MITM attacks, as shown in the above examples, are primarily looking to intercept communications and either modify them or listen in on them. To avoid these attacks, individuals should:
 

  • Use encrypted communications to maintain their security and integrity
  • Avoid using unsecured public wi-fi connections for secure communications
  • Ensure web traffic is secured, particularly if submitting financial or personal information

 

How PreVeil stops MITM

 
MITM attacks often occur because there is poor communications security. PreVeil however can provide this needed security to ensure that attackers cannot read and profit from intercepting your communications.
 
With PreVeil, data is always encrypted end to end. This means it is encrypted on the user’s device and only ever decrypted on the recipient’s device. Any attacker along the way who attacks the data won’t be able to decrypt it because they do not have the decryption keys.
 
Moreover, since PreVeil doesn’t use passwords, there is no way for an attacker to access the encrypted payload with a password. Instead of passwords, PreVeil uses a private key stored on the user’s device to prove a user’s identity.
 

Conclusion

 
Man-in-the-middle attacks can be prevented with good network hygiene and security protocols. However, it is important to supplement these efforts by being mindful of your network habits and use proven end-to-end encryption to further secure your information.