Examining man-in-the-middle attacks

man in the middle 1
Lookout

Caught in the middle

Does the screen above look familiar? It should. Millions of people around the world connect to public Wi-Fi networks on their mobile devices as they travel and try to stay connected. The problem is, not all networks are official. The image above is that of a fake, or spoofed, hotel Wi-Fi network, but you can’t tell just by looking at it.

This attack is called a Man-in-the-Middle attack, as many in the security industry will recognize, and allows a person to intercept another person’s internet connection and gather all of the information being transmitted across that network. This kind of attack has been around for years, impacting PC users, but today the mobile phone is just as susceptible.

David Richardson, director of product at Lookout, walks us through this all-too-common attack.  

man in the middle 2
Lookout

How these attacks happen

It’s a self-fulfilling prophecy – because we do so much work on mobile using public wifi, data in transit is becoming an increasingly prominent risk for enterprises.

Normally, connecting to the internet through untrusted access points or proxies isn’t that severe of a threat because corporate data is generally encrypted. However, certain attack methods have emerged that allow an attacker to view encrypted enterprise data, such as corporate login credentials or confidential emails.

There are two steps for a serious man-in-the-middle attack. First, the attacker must get into the network traffic. Second, the attacker must decrypt the data.

man in the middle 3
Lookout

Getting into the network traffic

There are four common ways an attacker can get into the network traffic:

1.     Fake wi-fi access points or cell towers

2.     ARP spoofing

3.     Hostile proxies / SSL Bump

4.     Malicious VPNs

man in the middle 4

Fake wi-fi access points or cell towers

1.     Attacker sets up hostile access point (for example, fake wi-fi honeypot or cell tower)

2.     Mimics a network the user would trust

3.     When user connects (which may even happen automatically without user intervention), attacker has in-line agency to the traffic

man in the middle 5
Lookout

ARP spoofing

1. Attacker advertises its own MAC address in place of a gateway or the victim’s device

2. Attacker can intercept or modify all traffic

man in the middle 6
Lookout

Hostile proxies/ SSL bump

1. Attacker gets user to install a malicious app, configuration profile, or uses another attack vector

2. Traffic on the device is now routed through the attacker’s infrastructure

man in the middle 7
Lookout

Malicious VPNs

1. A user is coerced to download an app or configuration profile that asks to activate a VPN

2. Traffic on the device is now routed through the attacker’s VPN

man in the middle 8
Giacomo Carena/Flickr

Decrypting data

There are a number of ways to decrypt data in transit. Here are three common ways that we will dive deeper into:

1.     Host certificate hijacking

2.     SSLStrip

3.     TLS protocol downgrade

man in the middle 9
Lookout

Host certificate hijacking

How it works

1. Connection goes through man in the middle

2. Attacker establishes SSL session with intended host

3. Host responds with SSL certificate

4. Fraudulent certificate delivered to end user who may be tricked into proceeding

*If user is tricked into installing a root certificate authority the warning wouldn’t even appear

man in the middle 10
Lookout

SSL Strip

How it works:

1. Connection goes through attacker

2. Attacker rewrites content to not include HTTPS links

3. Communication, such as login credentials, done in plaintext

man in the middle b
Lookout

TLS protocol downgrade

How it works: 1. Attacker manipulates the negotiated connection to downgrade protocol or cipher suites. These older protocols and cipher suites can allow traffic to be decrypted by skilled attackers.

man in the middle 12

Staying safe

When you connect to Wi-Fi, you should be wary of any action it asks you to take in order to access the Internet. A hotel asking for your room number and name is one thing, but if it’s asking you to set up networks and certificates or download anything, that’s when you can get into trouble.

Of note, there are safe ways to surf the Internet while you’re on the go. Use your 4G/LTE networks — they are much safer than public Wi-Fi. If you want to work at a coffee shop with free Wi-Fi, use a VPN to encrypt your traffic.

If all else fails, avoid any transactions over public Wi-Fi that may involve signing into an account, checking email, or paying for something. Your data will thank you for it.