A man-in-the-middle attack is difficult to identify and defend against. MITM attacks depend on controlling the lines of communication between people, computers, or servers. Man-in-the-middle attacks don’t always require an infected computer, meaning there are multiple avenues of attack.
So, what is a man-in-the-middle attack, and how can you prevent yourself from falling prey to one?
What Is a Man-in-the-Middle Attack?
Man-in-the-middle (MITM) attacks were around before computers. This type of attack involves an attacker inserting themselves in between two parties communicating with each other. Man-in-the-middle attacks are essentially eavesdropping attacks.
To better understand how a man-in-the-middle attack works, consider the following two examples.
Offline Man-in-the-Middle Attack
An offline MITM attack sounds basic but is still used worldwide.
For example, someone intercepts your post, reads it, repackages it, and then sends it to you or your original recipient. Then, the same happens in reverse when the person responds to you, with the man-in-the-middle intercepting and reading your mail in each direction.
Properly performed, you won’t know there is a MITM attack taking place as the interception and data theft are invisible to you.
Taking over a communication channel between two participants is at the core of a man-in-the-middle attack.
It also opens up other avenues of deception for the attacker. If the attacker controls the means of communication, they could modify the messages in transit. In our example, someone is intercepting and reading the mail. The same person could modify your message’s content to ask something specific or make a request as part of their attack.
As the MITM controls your communication, they can then remove any later references to the question or the request, leaving you none the wiser.
Online Man-in-the-Middle Attack
An online man-in-the-middle attack works much in the same way, albeit with computers or other digital hardware in place of the old snail mail.
One MITM attack variant revolves around you connecting to the free public Wi-Fi in a café. Once connected, you attempt to connect to your bank’s website.
For the sake of our example, you then encounter a certificate error informing you that the bank’s website doesn’t have the appropriate encryption certificate. This alerts you to the fact something is wrong with the configuration of the bank website and that a MITM attack is underway.
However, many people simply click through this error message and access the banking website regardless. You sign into the banking portal, send some money, pay some bills, and everything seems fine.
In reality, an attacker may have set up a fake server and website that mimics your bank. When you connect to the fake bank server, it fetches the bank’s web page, modifies it a bit, and presents it to you. You input your login details as normal, and these details are sent to the man-in-the-middle server.
The MITM server still logs you into the bank and presents the page as normal. But the attacker’s man-in-the-middle server has captured your login credentials, ready for exploitation.
In this scenario, the early warning message was the encryption certificate error advising that the website configuration isn’t correct. The man-in-the-middle server doesn’t have the same security certificate as your bank—although it may have a security certificate from elsewhere.
Types of Man-in-the-Middle Attacks
There are several different types of MITM attack:
- Wi-Fi Spoofing: An attacker can create a fake Wi-Fi access point with the same name as a local free Wi-Fi option. For example, in a café, the attacker might mimic the Wi-Fi name or create a fake option named “Guest Wi-Fi” or similar. Once you connect to the rogue access point, the attacker can monitor your online activity.
- HTTPS Spoofing: The attacker tricks your browser into believing you’re using a trusted website, redirecting your traffic to an insecure website instead. When you enter your credentials, the attacker steals them.
- SSL Hijacking: When you attempt to connect to an insecure HTTP site, your browser can redirect you to the secure HTTPS option. However, attackers can hijack the redirect procedure, placing a link to their server in the middle, stealing your data and any credentials you enter.
- DNS Spoofing: The Domain Name System helps you navigate the internet, turning the URLs in your address bar from human-readable text to computer-readable IP addresses. A DNS spoof, then, forces your browser to visit a specific address under the control of an attacker.
- Email Hijacking: If an attacker gains access to the mailbox, or even an email server, of a trusted institution (such as a bank), they could intercept customer emails containing sensitive information or even begin sending email as the institution itself.
These aren’t the only MITM attacks. There are numerous variants that combine different aspects of these attacks.
Does HTTPS Stop Man-in-the-Middle Attacks?
The above scenario takes place on a banking website that uses HTTPS, the secure version of HTTP. As such, the user encounters a screen advising that the encryption certificate is incorrect. Almost every website now uses HTTPS, which you can see represented as a padlock icon in the address bar, alongside the URL.
For a long time, only sites serving sensitive information were advised to use HTTPS. The norm has now switched, especially since Google announced that it would use HTTPS as an SEO ranking signal. In 2014, when the switch was first announced, between 1-2 percent of the top one million sites globally used HTTPS. By 2018, that number had ballooned, with over 50-percent of the top one million implementing HTTPS.
Using a standard HTTP connection on an unencrypted website, you wouldn’t receive the warning from our example. The man-in-the-middle attack would take place without any warning.
So, does HTTPS protect against MITM attacks?
MITM and SSLStrip
Yes, HTTPS protects against man-in-the-middle attacks. But there are ways attackers can defeat HTTPS, removing the additional security afforded to your connection via encryption.
SSLStrip is a man-in-the-middle attack that forces the browser to remain in HTTP mode rather than begin using HTTPS where available. Rather than using HTTPS, SSLStrip “strips” the security, leaving you with plain old HTTP.
You might not even notice that anything is wrong. In the days before Google Chrome and other browsers implemented the big red cross in your address bar to notify you that you’re using an insecure connection, SSLStrip claimed many victims. The introduction of the giant HTTPS padlock certainly makes it easier to spot whether or not you’re using HTTPS.
Another security upgrade also dented SSLStrip’s efficacy: HTTP Strict Transport Security.
HTTP Strict Transport Security (HSTS) was developed to protect against man-in-the-middle attacks, especially protocol downgrade attacks like SSLStrip. HSTS is a special function that allows a web server to force all users to only interact with it using HTTPS.
That’s not to say it works all of the time, as HSTS only configures with the user after their first visit. As such, there is a very small window where an attacker could theoretically use a MITM attack like SSLStrip before HSTS is in place.
That’s not all. The slight demise of SSLStrip gave way to other modern tools that combine many MITM attack types into a single package.
MITM Malware
Users must also contend with malware variants that use MITM attacks or come with man-in-the-middle modules. For example, some malware types that target Android users, such as SpyEye and ZeuS, allow an attacker to eavesdrop on incoming and outgoing smartphone communication.
Once installed on an Android device, an attacker can use the malware to intercept all manner of communications. Of particular interest are two-factor authentication codes. An attacker can request the two-factor authentication code on a secure website, then intercept it before the user can react or even understand what is going on.
As you might expect, desktops aren’t clear of threat, either. There are numerous malware types and exploit kits designed for man-in-the-middle attacks. And that’s without mentioning that time Lenovo installed SSLStrip-enabled malware on their laptops before shipping.
How to Protect Against a Man-in-the-Middle Attack?
A man-in-the-middle attack is tough to defend against. An attacker has so many options, which means protecting against a MITM attack is multipronged.
- Use HTTPS: Make sure every website you visit uses HTTPS. We’ve talked about SSLStrip and MITM malware, but ensuring HTTPS is in place is still one of the best defense options. For an extra protection layer, consider downloading and installing the Electronic Frontier Foundation’s HTTPS Everywhere browser extension, one of the best privacy extensions for Google Chrome.
- Don’t Ignore Warnings: If your browser informs you that there is something wrong with the website you’re visiting, trust it. A security certificate warning could be the difference between gifting your credentials to an attacker and remaining secure.
- Don’t Use Public Wi-Fi: If you can help it, don’t use public Wi-Fi. Sometimes, the use of public Wi-Fi just cannot be avoided. If you must use a public Wi-Fi connection, you should download and install a VPN to add some security to your connection. Furthermore, keep an eye out for browser security warnings while using a public Wi-Fi connection. If the number of browser warnings suddenly ramps up, it could indicate a MITM attack or vulnerability.
- Run and Update Antivirus Software: Make sure your antivirus software is up to date. Furthermore, consider an additional security tool, like Malwarebytes. Before you ask, yes, Malwarebytes Premium is worth the money.
Man-in-the-middle attacks depending on compromising your communications. If you know what to expect and know what to look for, you stand a far greater chance of avoiding MITM attacks. In turn, your data will remain secure and firmly in your grasp.
Image Credit: Andy Rennie on Flickr