Back to basics

What is a man-in-the-middle attack? How MitM attacks work and how to prevent them

Man-in-the-middle cyberattacks allow attackers to secretly intercept communications or alter them. Detecting MitM attacks is difficult, but they are preventable.

man in the middle phone on a string communicaiton
Thinkstock

A man-in-the-middle (MitM) attack is when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers might use MitM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data.

“MITM attacks are a tactical means to an end,” says Zeki Turedi, technology strategist, EMEA at CrowdStrike. “The aim could be spying on individuals or groups to redirecting efforts, funds, resources, or attention.”

Though MitM can be protected against with encryption, successful attackers will either reroute traffic to phishing sites designed to look legitimate or simply pass on traffic to its intended destination once harvested or recorded, meaning detection of such attacks is incredibly difficult.

How man-in-the-middle attacks work

MitM attacks are one of the oldest forms of cyber attack. Computer scientists have been looking at ways to prevent threat actors tampering or eavesdropping on communications since the early 1980s.

MitM attacks consist of sitting between the connection of two parties and either observing or manipulating traffic. This could be through interfering with legitimate networks or creating fake networks that the attacker controls. Compromised traffic is then stripped of any encryption in order to steal, change or reroute that traffic to the attacker’s destination of choice (such as a phishing log-in site).  Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.

“MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,” says Johannes Ullrich, dean of research at SANS Technology Institute. “So, they're either passively listening in on the connection or they're actually intercepting the connection, terminating it and setting up a new connection to the destination.”

MitM encompass a broad range of techniques and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers establish an HTTPS connection between themselves and the server, but with an unsecured HTTP connection with the user, which means information is sent in plain text without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely controlled by malicious actors, who can now monitor, collect or manipulate all information the user sends.

“These types of attacks can be for espionage or financial gain, or to just be disruptive,” says Turedi. “The damage caused can range from small to huge, depending on the attacker’s goals and ability to cause mischief.”

In a banking scenario, an attacker could see that a user is making a transfer and change the destination account number or amount being sent. Threat actors could use man-in-the-middle attacks to harvest personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. The EvilGrade exploit kit was designed specifically to target poorly secured updates. Given that they often fail to encrypt traffic, mobile devices are particularly susceptible to this scenario.

“These attacks can be easily automated,” says SANS Institute’s Ullrich. “There are tools to automate this that look for passwords and write it into a file whenever they see one or they look to wait for particular requests like for downloads and send malicious traffic back.”

While often these Wi-Fi or physical network attacks require proximity to your victim or targeted network, it is also possible to remotely compromise routing protocols. “That's a more difficult and more sophisticated attack,” explains Ullrich. “Attackers are able to advertise themselves to the internet as being in charge of these IP addresses, and then the internet routes these IP addresses to the attacker and they again can now launch man-in-the-middle attacks.”

“They can also change the DNS settings for a particular domain [known as DNS spoofing],” Ullrich continues. “So, if you're going to particular website, you're actually connecting to the wrong IP address that the attacker provided, and again, the attacker can launch a man-in-the-middle attack.”

While most attacks go through wired networks or Wi-Fi, it is also possible to conduct MitM attacks with fake cellphone towers. Law enforcement agencies across the U.S., Canada and the UK have been found using fake cell phone towers – known as stingrays – to gather information en masse. Stingray devices are also commercially available on the dark web.

Researchers from the Technical University of Berlin, ETH Zurich and SINTEF Digital in Norway recently discovered flaws in the authentication and key agreement (AKA) protocols used in 3G, 4G and due to be used in 5G wireless technology rollouts that could lead to attackers performing MitM attacks. 

How common are man-in-the-middle attacks?

Though not as common as ransomware or phishing attacks, MitM attacks are an ever-present threat for organizations. IBM X-Force’s Threat Intelligence Index 2018 says that 35 percent of exploitation activity involved attackers attempting to conduct MitM attacks, but hard numbers are difficult to come by.

“I would say, based on anecdotal reports, that MitM attacks are not incredibly prevalent,” says Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks. “Much of the same objectives — spying on data/communications, redirecting traffic and so on — can be done using malware installed on the victim’s system. If there are simpler ways to perform attacks, the adversary will often take the easy route.”

A notable recent example was a group of Russian GRU agents who tried to hack into the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague using a Wi-Fi spoofing device.

Greater adoption of HTTPS and more in-browser warnings have reduced the potential threat of some MitM attacks. In 2017 the Electronic Frontier Foundation (EFF) reported that over half of all internet traffic is now encrypted, with Google now reporting that over 90 percent of traffic in some countries is now encrypted. Major browsers such as Chrome and Firefox will also warn users if they are at risk from MitM attacks. “With the increased adoption of SSL and the introduction of modern browsers, such as Google Chrome, MitM attacks on Public WiFi hotspots have waned in popularity,” says CrowdStrike’s Turedi.

“Today, what is commonly seen is the utilization of MitM principals in highly sophisticated attacks,” Turedi adds. “One example observed recently on open-source reporting was malware targeting a large financial organization’s SWIFT network, in which a MitM technique was utilized to provide a false account balance in an effort to remain undetected as funds were maliciously being siphoned to the cybercriminal’s account.”

The threat still exists, however. For example, the Retefe banking Trojan will reroute traffic from banking domains through servers controlled by the attacker, decrypting and modifying the request before re-encrypting the data and sending it on to the bank. A recently discovered flaw in the TLS protocol – including the newest 1.3 version – enables attackers to break the RSA key exchange and intercept data.

Man-in-the-middle attack prevention

Though flaws are sometimes discovered, encryption protocols such as TLS are the best way to help protect against MitM attacks. The latest version of TLS became the official standard in August 2018. There are also others such as SSH or newer protocols such as Google’s QUIC.

For end-user education, encourage staff not to use open public Wi-Fi or Wi-Fi offerings at public places where possible, as this is much easier to spoof than cell phone connections, and tell them to heed warnings from browsers that sites or connections may not be legitimate. Use VPNs to help ensure secure connections.

“The best methods include multi-factor authentication, maximizing network control and visibility and segmenting your network,” says Palo Alto’s Hinchliffe.

Prevention is better than trying to remediate after an attack, especially an attack that is so hard to spot. “These attacks are fundamentally sneaky and difficult for most traditional security appliances to initially detect,” says Crowdstrike’s Turedi.

If it becomes commercially viable, quantum cryptography could provide a robust protection against MitM attacks based on the theory that it is impossible to copy quantum data, and it cannot be observed without changing its state and therefore providing a strong indicator if traffic has been interfered with en route.

Is the internet of things the next frontier for MitM attacks?

Analysts predict the number of internet-connected devices could proliferate into the tens of billions of devices over the next five years. Unfortunately, the lack of security in many devices means the growth in IoT could see a jump in MitM attacks. CSO has previously reported on the potential for MitM-style attacks to be executed on IoT devices and either send false information back to the organization or the wrong instructions to the devices themselves.

“IoT devices tend to be more vulnerable to attack because they don't implement a lot of the standard mitigations against MitM attacks,” says Ullrich. “A lot of IoT devices do not yet implement TLS or implemented older versions of it that are not as robust as the latest version.”

A new survey by Ponemon Institute and OpenSky found that 61 percent of security practitioners in the U.S. say they cannot control the proliferation of IoT and IIoT devices within their companies, while 60 percent say they are unable to avoid security exploits and data breaches relating to IoT and IIoT.

“With the mobile applications and IoT devices, there's nobody around and that's a problem; some of these applications, they will ignore these errors and still connect and that defeats the purpose of TLS,” says Ullrich.

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!