A man in the middle attack is a security attack during which an attacker enters a communication between two parties undetected, redirecting data to pass through a node he controls. It is a type of session hijacking. Let’s deep into what a man in the middle attack is as well as into how to prevent and detect this kind of attack.
Man in the middle attack or MiTM attack
The man in the middle attack, abbreviated as “MiTM attack”, consists of an attacker placing himself between two communicating parties, while they believe to be communicating with each other directly and securely. The attacker redirects data to pass through a node he controls in order to monitor, relay and even change its content. Its goal is usually to steal personal data, such as login credentials or credit card information.
The MiTM attack is also known under many other names, such as:
- Machine-in-the-middle attack.
- Manipulator-in-the-middle attack.
- Meddler-in-the-middle attack.
This kind of attack exists for many communications protocols. The man-in-the-middle attack is the most common cyberattack on the network layer of the OSI model.
Phases of a MiTM attack
The execution of a man in the middle attack is usually divided in two phases: interception and decryption.
Interception phase
Attackers use different methods to intercept data, such as:
- Wi-Fi eavesdropping. The attacker sets a Wi-Fi hotspot available to the public without a password and with a name that corresponds to its location. Once a user connects to the hotspot, he can gain visibility on the user’s data traffic.
- IP spoofing. The attacker alters IP packet headers in order to impersonate another system or application. Once a user attempts to connect to such a system or application, he is redirected to the attacker’s site.
- ARP spoofing. The attacker links his MAC address with his target’s IP address, using fake Address Resolution Protocol (ARP) messages, so that data is redirected to him.
- DNS spoofing. The attacker uses modified DNS records to send traffic to a fraudulent site that resembles the real one. It is also known as DNS cache poisoning.
Decryption phase
After the interception phase, attackers use different methods to decrypt SSL traffic without being noticed:
- HTTPS spoofing. The attacker sends a fake certificate to the user’s browser after the initial connection request to the secure site is made. Once the associated digital thumbprint is verified by the browser, the cyberattacker can access data before it is passed to the application.
- SSL hijacking. The attacker passes counterfeit authentication keys to the server and client during a TCP handshake, getting control of the session.
- SSL stripping. The attacker intercepts the TLS authentication to downgrade a HTTPS connection to HTTP. So that the user uses an unencrypted version of the application or site.
How to prevent a man in the middle attack
In order to prevent man in the middle attacks from happening, it is essential to make sure proper certificates and encryption are in place. Nevertheless, enforcing restrictive corporate and user policies is as important as educating users to use networks safely and to recognize the signs of a potential attack.
Prevention measures on the user side include, among others:
- Using additional security methods whenever available, such as multi-factor authentication through one-time passwords.
- Keeping passwords up to date and unique to each application, as well as avoiding reusing old passwords. Here are some password security best practices.
- Logging out of secure applications when they are not in use.
- Paying attention to browser notifications alerting of unsecure websites.
- Avoiding unprotected, public Wi-Fi connections; specially when dealing with sensitive data.
- In case of doubt about the security of a connection, it is also advisable to use a safe or corporate VPN to redirect traffic through it, thus encrypting communications.
Mutual authentication
Mutual authentication plays an important role in preventing MiTM attacks. For instance, cryptographic protocols such as TLS enable the authentication of both parties using a public key infrastructure. The server and the client exchange certificates issued and verified by a trusted certificate authority to validate each other. If the identity of one of the parties cannot be verified or validated, the session ends.
As a best practice, applications should secure all pages using an up to date SSL certification from a reliable authority; not only those that require the user to log in.
How to detect a man in the middle attack
Tamper detection can be used to identify whether a communication has been altered. For instance, cryptographic hash functions and electronic signatures can be used as an additional layer of protection against tampering. Besides, examining changes in latency and response times can also help detect attacks in certain cases.
Furthermore, the use of advanced antivirus software in users’ equipment can also help detect and prevent some types of MiMT attack.