A man-in-the-middle attack (MITM) happens when an attacker modifies a connection so that it goes through their computer. By intercepting traffic, they can steal sensitive information and change data on the fly.
For example, imagine that someone takes over your connection when you log into your online bank account or buy something online. They will not only learn your login credentials or credit card number but may also change the account number when you initiate a transfer of funds. An attacker may also use this technique to steal your personal information for identity theft and scams or steal your session cookies to be able to impersonate your login later.
Most types of man-in-the-middle attacks are aimed at websites or web applications. However, this technique can be used for other types of communication as well. There have been cases of MiTM email hijacking, for example.
MITM vs. sniffing
Due to the nature of internet protocols, a lot of information that you send to the internet is publicly accessible. When you connect to a local area network, every other computer in your local network segment can see your data packets. Attackers can use sniffers to read that data. All they need to do is to find a way to connect to your network segment. They can also listen to your communication if they access any computers between your client and the server (including your client and the server).
MiTM attacks are similar to sniffing but more complicated. In a MiTM attack, the attacker fools you or your computer into connecting to their computer. They make you or your computer believe that they are the server. Then, they connect to the server pretending to be you and relay all the information both ways. This is much more dangerous than just sniffing because the information can be modified.
More and more internet connections are encrypted which makes both sniffing and MiTM more difficult but not impossible. Attackers may use various techniques to fool users or exploit weaknesses in cryptographic protocols. A secure connection is not enough to completely avoid MiTM attacks.
Where is the man-in-the-middle?
You risk a MiTM attack the most when you connect to any public networks. This means any public WiFi connections, WiFi hotspots, free WiFi at cafes, or any other networks with no access restrictions. It is easiest for the attacker to become a man-in-the-middle on local area networks and WiFi networks because a lot of MiTM attack techniques work best at this level.
The second most common entry point for MiTM attacks is your own computer. If you are not careful, you may install malware that is able to monitor and modify your internet connections (for example, man-in-the-browser). Attackers may also use phishing techniques to hijack your connections by luring you to visit sites that act as the man-in-the-middle.
The third potential risk is your home router. Very often, the home router is supplied by your internet service provider. Often, default security is not enough, for example, most routers supplied by ISPs use default admin credentials (such as admin/password). Their firmware is often outdated, too. If a certain router model is found to be faulty, this may become a chance for a MiTM attack.
When you are connected to a private home or work network, when you update your router software regularly, and when you are careful what you install on your computer, you can feel safe. In such cases, the risk of becoming a victim of a MiTM attack is very low.
How do MiTM attacks work?
A man-in-the-middle attack can be divided into three stages. The first stage is obtaining access to a location from which the attacker can strike. The second stage is actually becoming a man in the middle. The third (if necessary) is overcoming encryption.
Here are the most common locations and how attackers get access to them:
- Your computer: Attackers gain access directly to your computer through malware. Such malware may be distributed via phishing or using other attack techniques, for example, due to vulnerabilities in your operating system.
- The web server: Attackers gain access to the web server using other techniques. For example, SQL injection attacks that are escalated to give full server control.
- Your router and your local area network: Attackers access your router due to insufficient default security, outdated firmware, or the use of insecure wireless protocols (such as WEP). If you are on an open network, so is the attacker.
Once the attacker is on your computer, your server, or your network, they must become the man in the middle. For this, they must fool your computer using one of several spoofing attack techniques:
- ARP spoofing: This technique is for a local area network. An attacker sends false ARP packets pretending to be the gateway (ARP is used for binding physical MAC addresses with IP addresses). Your computer connects to the attacker’s computer thinking that it is the gateway to the internet.
- IP spoofing: This technique is for a local area network. The attacker can intercept an ongoing TCP/IP connection with the gateway by injecting TCP packets that have well-predicted sequence numbers.
- DNS spoofing: This technique can even be used outside of your network, as long as you connect to a vulnerable DNS cache (DNS resolver). The attacker injects false information into the DNS resolver and your computer connects to the server controlled by the attacker.
- Web browser bar spoofing: This technique is completely independent of the location. The attacker registers a domain name that looks very much like the domain that you want to connect to. Then, they deliver the false URL to you using other techniques such as phishing.
If the connection that the attacker intercepts is not encrypted, nothing else is needed for the MiTM attack. If it is an SSL/TLS connection, additional methods are needed to compromise it:
- SSL hijacking: This technique requires control of your computer. First, the attacker adds a trusted CA to your computer. Then, when you attempt to connect to a secure site, the MiTM agent serves you a false website signed using this CA. Because the CA is added to your computer, there is no alarm.
- SSL stripping: When you try to connect to a secure site, the MiTM agent makes your computer believe that an HTTPS connection is not available and that HTTP must be used. If you are not careful, you might not notice that the connection is not encrypted because no alarms are raised.
- Attacks on old SSL ciphers: If the website that you connect to is using a vulnerable cipher, an attack such as BEAST or CRIME may be used to decrypt the connection.
How to avoid MiTM attacks
The key to avoiding man-in-the-middle attacks is the same as with most other attacks: be careful and keep your systems updated. Here are some tips and tricks:
- Be wary of links that you click to avoid phishing attempts that lead to MiTM attacks.
- Keep your operating system and your browser always up to date. This way, the attackers will not be able to use exploits to install malware on your computer.
- Use a secure WiFi protocol on your router (WPA2, WPA3 if available), use a secure WiFi key, change default login credentials for your router and update your router firmware. This way, attackers won’t be able to compromise your local area network.
- Limit your sensitive activity on public networks or use a VPN connection on public networks. A VPN will add an extra layer of security.
- Make sure that the DNS servers (DNS caches) that you use are secure. Check the configuration on your router (DNS cache addresses are usually provided via DHCP). If in doubt, use Google public DNS caches: 18.104.22.168 and 22.214.171.124.
- If you have a website or web application, regularly scan it for vulnerabilities and resolve issues. Other vulnerabilities may lead to a potential MiTM attack on your users.
If you have a website or web application, enable HSTS (HTTP Strict Transport Security). If you do, your site will enforce HTTPS connections. This will protect your users against SSL stripping.