As you learn more about cyber attacks, you’ll sometimes hear about man-in-the-middle attacks. These attacks impact data as it travels between one computer to another computer. Or from one computer to a networking appliance, such as a wireless router. The computers could be PCs, mobile devices, IoT devices, servers, video game consoles, it doesn’t matter. Your computer thinks it’s sending data to an authorized entity.
For example, when my PC sends authentication details for my online banking, I hope it’s only going to my bank’s website. But these communications can be intercepted, and I probably won’t even know about it. My recipient, or my bank, could even be receiving data from my computer as intended! But unbeknownst to me or my bank, there’s someone listening in on us. That, my friends, is what an MITM (man-in-the-middle) attack is. It’s exactly what it sounds like, there’s a “man” in the middle, and he’s a cyber attacker.
The anonymous cyber attackers use the new connection to collect information, such as bank account information (in this scenario) or any private information of yours or your business. Therefore, this type of stealthy attack requires a system in place that can stop the man in the middle attacks from happening.
Cybercriminals are phishing you with real TLS and SSL certificates. Find out how.
All kinds of data is sent between computing devices, especially on the internet. The data-in-transit goes over the air as WiFi radio signals, down coaxial or fiber optic cable, or over Bluetooth. There are hundreds of TCP/IP ports which are the backbone of the vast majority of networks, including but not limited to the internet. Some ports are commonly used and well-known like ports 80 and 443 for the web, or port 25 for sending email. Others are pretty obscure like port 17 for “Quote of the Day” or 10823 for Farming Simulator 2011, a video game.
An MITM attack could affect any TCP/IP port. A MITM attack could be a malicious interception of any sort of network communications, including internal networks. But the majority of man-in-the-middle attacks take place on the internet.
WiFi eavesdropping is a very common type of MITM attack. Here’s one WiFi attack scenario: An attacker sets up a public, unencrypted WiFi access point. You’re sitting at the train station thinking, “I’d love to watch something on YouTube to kill time, but my cell connection here is terrible. Let’s look for some WiFi.” You find an SSID labeled “Toronto Transit Free WiFi.” Wow, how convenient! You connect to it. (Someone who sets up a WiFi broadcast can come up with pretty much any SSID they want.) So, you launch the YouTube app on your phone and all of a sudden you’ve sent your Google credentials to a cyber attacker. Now they can really mess with your digital life.
For example, they could inject malicious code into someone else’s web server. My web browser thinks it’s the legitimate web service asking for my cookie when it’s actually the attacker. That’s referred to as XSS (cross site scripting.) Malware on my PC can also grab my cookies from my hard drive and send them to the attacker. Or the attacker could use session side jacking. In this scenario, the authentication data I send to a web service could be encrypted but then the rest of the communications could be in plaintext. The attacker could use a packet sniffer to acquire my cookies being sent over plaintext or grab data from my packet headers to be used to intercept what I’m doing.
Email hijacking is another kind of MITM attack. Not all email communications are encrypted. But even encrypted email can be intercepted if an attacker acquires the cryptographic keys somehow. Email could be hijacked by malware on an email server. Email can also be hijacked with a packet sniffer, or a phishing email with a hyperlink to a malicious web application that can spy on your email client.
An attacker could be reading the emails I send and receive and just lurk quietly. Then they find an email I sent to one of the companies I work for that has an email attachment which contains my bank account information. Or they see me do an email-based money transfer. An attacker could replace the banking information of my intended money recipient with information about their own bank account. All of a sudden, I’ve just sent $1000 to a cyber attacker.
MITM attacks involve any sort of network communication interception by cyber attackers and they can be done in many, many different ways.
There are lots of different things you can do to prevent becoming a victim of an MITM attack. For your personal life, here are a few tips to protect you from MITM attacks.
While surfing the web, use HTTPS as much as possible instead of HTTP. HTTPS is encrypted, and HTTP isn’t. If an attacker acquires ciphertext data instead of plaintext data, the packets are pretty useless to them unless they can somehow crack or bypass the encryption. There’s a popular plugin for multiple web browsers called HTTPS Everywhere. It would be a good idea to install it. The plugin will insist that websites use HTTPS instead of HTTP to communicate with you. Also, recent versions of Google Chrome have similar functionality built in. HTTPS isn’t only for ecommerce or online banking. HTTPS should also be used for webpages that don’t seem to have any sensitive data. It’s better to be safe than sorry.
Change any and all usernames and passwords on your home or office router every so often. If a cyber attacker somehow acquires something like your WPA2 password, the password will be useless if you change it.
If you ever use public unencrypted WiFi, use a VPN. A VPN will encrypt all of your internet communications to and from your computing device which will provide you with some security over an insecure connection. Some VPN providers even offer easy-to-use apps you can install on your phone, tablet, or laptop for a number of different operating systems.
Sometimes MITM attacks are facilitated by malware. Make sure that all of the computing devices you use have antivirus software, regardless of your type of device or your operating system. Make sure your AV software regularly updates its signatures and scans your data storage frequently. Additionally, be careful when downloading any new programs to your computer, and ensure that programs you download employ code signing.
Beware of phishing emails. Cyber attackers are getting increasingly clever with them, some of them can even fool me. If I get an email that looks like it’s from my bank, or Google, or the PlayStation Network and it contains a link for me to sign in, I won’t click on it. I’ll delete the email and go to their website manually. Phishing emails are a common means for MITM attacks. I’ve never missed anything important by not clicking on sign-in links in emails.
The most important thing for enterprises is to tightly control keys and certificates so that attackers cannot use them to hijack encrypted tunnels.
What to learn more about securely managing your network? Download our TLS Machine Identity Management eBook.
(This post has been updated. It was originally published on July 19, 2019.)