A man-in-the-middle attack (MITM attack), sometimes known as a person-in-the-middle attack, is a cyber attack where an attacker relays and possibly alters communication between two parties who believe they are communicating directly. This allows the attacker to intercept communication, listen in, and even modify what each party is saying.
Man-in-the-middle attacks enable eavesdropping between people, clients and servers, such as browser connections to websites, other machine-to-machine web service connections, Wi-Fi networks connections and more.
Man-in-the-Middle Attack Example
Imagine logging in to a web site to download a statement. An attacker wishes to intercept the conversation with the intention of pretending to be you at a later time.
You first type the URL of the web site into your browser, then your browser uses DNS to look up the IP address of the web site. An attacker sends back a false DNS result with the IP address of a machine they control. You’re not sure how the attacker managed this attack. Perhaps they were on the same network as your machine, or maybe they physically hacked into the ethernet cable connected to your internet service provider.
At this point, the attack begins. Everything your browser sends is communicated to the attacker’s machine, which is then relayed onto the real server. Every response from the real server is sent back to you. Imitating a website with HTTPS is difficult without the certificate in hand, so the attacker may send back a redirect response to send you to a website owned by the attacker with its own certificate. Or they may use the original domain under the insecure HTTP with a false IP address.
The attacker captures your username and password, to log in later as you so they can perform unauthorized transactions from your account. If a site is protected by multi-factor authentication, the attacker could instead capture your session token. With your session token, they would block your logout action so they can continue the current session when you close your browser.
This example highlights how digital communications can be intercepted. Protocols like HTTPS and DNSSec mitigate the risks of a MITM attack. These protocols alert users when something is wrong and disallow the connection if it is not protected.
Are Man-in-the-Middle Attacks Dangerous?
Man-in-the-middle attacks are dangerous and generally have two goals:
- Gain access to sensitive data and personal information.
- Manipulate the contents of a transmitted message.
In practice, this means gaining access to:
- Personally identifiable information (PII) and other sensitive information for identity theft
- Login credentials on a public Wi-Fi network to gain unauthorized access to accounts
- Credit card numbers on an ecommerce site
- Traffic on public Wi-Fi hotspots that can be redirected from legitimate websites to sites hosting malware
Common targets for MITM attacks are websites and emails. Email, by default, does not use encryption, which enables an attacker to intercept and spoof emails from the sender with only their login credentials.
What is the Difference Between a Man-in-the-Middle Attack and Sniffing?
Due to the nature of Internet protocols, much of the information sent to the Internet is publicly accessible. When you connect to a local area network (LAN), every other computer can see your data packets.
When an attacker is on the same network as you, they can use a sniffer to read the data, letting them listen to your communication if they can access any computers between your client and the server (including your client and the server).
In a man-in-the-middle attack, the attacker fools you or your computer into connecting with their computer. This attack makes you believe that the attacker's offer is the place you wanted to connect to. Then they connect to your actual destination and pretend to be you, relaying and modifying information both ways if desired. This is a much bigger cybersecurity risk because information can be modified.
As cybersecurity trends towards encryption by default, sniffing and man-in-the-middle attacks become more difficult but not impossible. Attackers can use various techniques to fool users or exploit weaknesses in cryptographic protocols to become a man-in-the-middle.
Where Do Man-in-the-Middle Attacks Happen?
There are many types of man-in-the-middle attacks but in general they will happen in four ways:
- Public networks: You are at the most risk when you connect to any public network. This means public Wi-Fi connections at airports or cafes, any network with no access restrictions. It is easiest for an attacker to become a man-in-the-middle because a lot of techniques work best on local area networks and Wi-Fi networks.
- On your computer: You could install malware that monitors and modifies your Internet connection (like a man-in-the-browser) or suffer from a phishing attack hijacks your connection by luring you to sites that act as the man-in-the-middle.
- Router: Routers are often supplied by your Internet service provider and have default security settings, which means many routers have default login credentials (such as admin/password) or outdated firmware that could have a known vulnerability.
- Web server: Attacker gains access to the genuine web server you intended to communicate with.
How Do Man-in-the-Middle Attacks Work?
A man-in-the-middle attack can be divided into three stages:
- Stage one: Obtain access to a location to perform the attack.
- Stage two: Become the man-in-the-middle.
- Stage three: Overcome encryption if necessary.
Once the attacker is able to get between you and your desired destination, they become the man-in-the-middle. For this to be successful, they will try to fool your computer with one or several different spoofing attack techniques.
What is ARP Spoofing (ARP Cache Poisoning)?
ARP (or Address Resolution Protocol) translates the physical address of a device (its MAC address or media access control address) and the IP address assigned to it on the local area network. An attacker who uses ARP spoofing aims to inject false information into the local area network to redirect connections to their device.
Imagine your router's IP address is [.rt-script]18.104.22.168[.rt-script]. To connect to the Internet, your laptop sends IP (Internet Protocol) packets to [.rt-script]22.214.171.124[.rt-script]. To do this, your machine must known which physical device has this address. For this example, the router has a MAC address of [.rt-script]00:0a:95:9d:68:16[.rt-script].
Here's how ARP spoofing happens:
- Attacker injects false ARP packets into your network.
- The ARP packets say the address [.rt-script]126.96.36.199[.rt-script] belongs to the attacker's device with the following MAC address [.rt-script]11:0a:91:9d:96:10[.rt-script] and not your router.
- The ARP cache stores false information associating the IP [.rt-script]188.8.131.52[.rt-script] with MAC [.rt-script]11:0a:91:9d:96:10[.rt-script].
- Your laptop now aims to connect to the Internet but connects to the attacker's machine rather than your router.
- The attacker's machine then connects to your router and connects you to the Internet, enabling the attack to listen in and modify your connection to the Internet.
What is IP Spoofing (IP Address Spoofing)?
IP spoofing is when a machine pretends to have a different IP address, usually the same address as another machine. On its own, IP spoofing isn't a man-in-the-middle attack but it becomes one when combined with TCP sequence prediction.
Generally, internet connections are established with TCP/IP (Transmission Control Protocol / Internet Protocol):
- When two devices connect to each other on a local area network, they use TCP/IP.
- To establish a session, they perform a three-way handshake.
- During a three-way handshake, they exchange sequence numbers.
- Sequence numbers allow recipients to recognize further packets from the other device by telling them the order they should put received packets together.
In an IP spoofing attack, the attacker first sniffs the connection. On a local network, all IP packets go into the network and are readable by the devices on the network. The attacker learns the sequence numbers, predicts the next one, and sends a packet pretending to be the original sender. If the packet reaches the destination first, the attack can intercept the connection.
Imagine an attacker joins your local area network with the goal of IP spoofing:
- Attacker joins your local area network with IP address [.rt-script]184.108.40.206[.rt-script] and runs a sniffer enabling them to see all IP packets in the network.
- Attacker wants to intercept your connection to the router IP address [.rt-script]220.127.116.11[.rt-script], so they look for packets between you and the router to predict the sequence number.
- At the right moment, the attack sends a packet from their laptop with the source address of the router ([.rt-script]18.104.22.168[.rt-script]) and the correct sequence number, fooling your laptop.
- At the same time, the attacker floods the real router with a denial-of-service (DoS) attack, slowing or disabling it for a moment enabling their packets to reach you before the router's do.
- Your laptop is now convinced the attacker's laptop is the router, completing the man-in-the-middle attack.
What is DNS Spoofing (DNS Cache Poisoning)?
ARP spoofing and IP spoofing both rely on the attack being connected to the same local area network as you. With DNS spoofing, an attack can come from anywhere. DNS spoofing is more difficult because it relies on a vulnerable DNS cache, but it can affect a large number of people if it is successful.
DNS (Domain Name System) is the system used to translate IP addresses and domain names, like directing from an IP address to [.rt-script]example.com[.rt-script]. The system has two primary elements:
- Nameservers (DNS servers): Nameservers are the source of authoritative information and are usually stored on two or three servers for each domain. For example, the IP address for [.rt-script]example.com[.rt-script] is stored on [.rt-script]a.iana-servers.net[.rt-script] and [.rt-script]b.iana-servers.net[.rt-script]. If every client that wanted to connect to [.rt-script]example.com[.rt-script] connected to [.rt-script]a.iana-servers.net[.rt-script] and [.rt-script]b.iana-servers.net[.rt-script] to get to [.rt-script]example.com[.rt-script], the servers would be overloaded. Local resolvers to cache information to avoid server overloads. If resolver does not have the IP address cached, it will contact the nameservers and save the IP address.
- Resolvers (DNS caches): A temporary database maintained by a computer's operating system that contains records of all recent visits and attempted visits to websites and other Internet domains.
Here is an example of DNS spoofing:
- Attacker knows you use [.rt-script]22.214.171.124[.rt-script] as your resolver (DNS cache).
- Attack also knows that this resolver is vulnerable to poisoning.
- Attacker poisons the resolver and stores information for your bank's website to their a fake website's IP address.
- When you type in your bank's website into the browser, you see the attacker's site.
- Attacker connects to the original site and completes the attack.
What is HTTPS Spoofing (IDN Homograph Attacks or Web Browser Bar Spoofing)?
Web browser spoofing is a form of typosquatting where an attacker registers a domain name that looks very similar to the domain you want to connect to. Then they deliver the false URL to use other techniques like phishing.
The Google security team believe the address bar is the most important security indicator in modern browsers. It provides the true identity of a website and verification that you are on the right website.
One example of address bar spoofing was the Homograph vulnerability that took place in 2017. It exploited the International Domain Name (IDN) feature that allows domain names to be written in foreign characters using characters from various alphabets to trick users.
For example, [.rt-script]xn--80ak6aa92e.com[.rt-script] would show as [.rt-script]аррӏе.com[.rt-script] due to IDN, which is virtually indistinguishable from [.rt-script]apple.com[.rt-script]. This has since been patched by showing IDN addresses in ASCII format.
What is Email Hijacking?
Email hijacking is when an attacker compromises an email account and silently gathers information by eavesdropping on email conversations. Email hijacking can make social engineering attacks very effective by impersonating the person who owns the email. This approach is often used for spearphishing.
What is a Man-in-the-Browser Attack?
The goal is often to capture login credentials, especially financial services companies like your credit card company or bank account. When you log in to the site, the man-in-the-browser captures your credentials to transfer funds and modify what you see to hide the transaction.
What is Wi-Fi Eavesdropping?
If you've ever logged into a public Wi-Fi access point at a coffee shop or airport, you may have noticed a pop-up that said This network is not secure.
Unencrypted Wi-Fi connections are easy to eavesdrop. It's like having a conversation in a public place where anyone can listen in. You can limit your exposure by setting your network to public, which disables Network Discovery and prevents other users on the network from accessing your device.
Another example of Wi-Fi eavesdropping is when an attacker creates their own Wi-Fi hotspot, called an Evil Twin. They make the connection look identical to the authentic one, down to the network ID and password. Users may accidentally or automatically connect to the Evil Twin, allowing the attacker to eavesdrop on their activity.
What is SSL Hijacking?
SSL hijacking is when an attacker intercepts a connection and generates SSL/TLS certificates for all domains you visit. They present the fake certificate to you, establish a connection with the original server, and then relay the traffic on.
This attack only works if the attacker is able to make your browser believe the certificate is signed by a trusted Certificate Authority (CA). Otherwise your browser will display a warning or refuse to open the page.
Here's how SSL hijacking works:
- Attacker uses a separate cyber attack to get you to download and install their CA.
- When you visit a secure site, like your bank, the attacker intercepts your connection.
- Attacker generates a certificate for your bank, signs it with their CA, and serves the site back to you.
- Your browser thinks the certificate is real because the attack has tricked your computer into thinking the CA is a trusted source.
- Attacker establishes connection with your bank and relays all SSL traffic through them.
SSL hijacking can be used for legitimate purposes. For example, parental control software often uses SSL hijacking to block sites.
What is SSL Stripping?
SSL Stripping or an SSL Downgrade Attack is an attack used to circumvent the security enforced by SSL certificates on HTTPS-enabled websites.
When you go to website, your browser connects to the insecure site (HTTP) and then is generally redirected to the secure site (HTTPS). If the website is available without encryption, an attacker can intercept your packets and force an HTTP connection that could expose login credentials or other sensitive information to the attacker.
The risk of this type of attack is reduced as more websites use HTTP Strict Transport Security (HSTS) which means the server refuses to connect over an insecure connection, though there are still some risk factors facing HSTS setup.
Older versions of SSL and TLS are vulnerable to exploits, but you can strengthen weak SSL.
What is a Session Hijacking?
Session hijacking is a type of attack that typically compromises social media accounts. Most social media sites store a session browser cookie on your machine. This cookie is then invalidated when you log out. But while the session is active, the cookie provides identity, access, and tracking information.
Other Methods for Man-in-the-Middle Attacks
There are more methods for attackers to place themselves between you and your end destination. These methods usually fall into one of three categories:
- Server compromise: The attacker gains control to the server you want to connect to and places their own software on the server to intercept connections.
- Client compromise: Attacker gains access to your machine and installs a trojan horse or other form of malware that allows them to listen in on all your connections.
- Communication compromise: Attacker takes over a machine that routes information between you and the server.
Man-in-the-Middle Attack Detection and Prevention
There are many types of man-in-the-middle attacks and some are difficult to detect. The best countermeasure against man-in-the-middle attacks is to prevent them. While it is difficult to prevent an attacker from intercepting your connection if they have access to your network, you can ensure that your communication is strongly encrypted.
Here are some general tips you can follow:
- Virtual Private Network (VPN): Set up a VPN to encrypt your web traffic and limit an attacker's ability to read or modify communication.
- Network intrusion detection system (NIDS): NIDS are placed at strategic points within a network to monitor traffic to and from all devices on the network. It performs analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified or abnormal behavior is found, an alert can be sent to a cybersecurity professional.
- Firewall: A strong firewall can prevent unauthorized access.
- Antivirus and anti-malware: Install an antivirus and anti-malware software package that includes a scanner that runs on your system boot to prevent man-in-the-middle attacks that rely on malware.
- Two-factor authentication: Use two-factor authentication that requires an additional vector of authentication beyond your password to prevent email hijacking.
- Understand common phishing scams: Phishing emails are a common attack vector. Only download email attachments when you know they are from a trusted contact.
- Sign out: Sign out of any unused accounts to invalidate session cookies and prevent session hijacking.
- Think about what you install: Only install browser add-ons and software that you know is from a reputable source.
- Force encryption: Avoid sharing any sensitive information on sites without HTTPS.
- Install HTTPS Everywhere: Force SSL connections whenever possible.
- Use a password manager: Avoid auto-filling passwords on nefarious sites.
- Avoid public Wi-Fi networks: If you must use public Wi-Fi, configure your device to require manual connection.
- Patch software and hardware: Keep your tools up to date to avoid man-in-the-middle attacks that exploit known vulnerabilities.
- Use secure DNS servers (DNS cache): Make sure the DNS servers (DNS cache) you use is secure.
- Application security: If you have a website or application, regularly scan for vulnerabilities and resolve issues.
Notable Man-in-the-Middle Attacks
The Babington Plot: In 1586 there was a plan to assassinate Queen Elizabeth I and put Mary, Queen of Scots on the English throne. Communications between Mary, Queen of Scots and her co conspirators was intercepted, decoded, and modified by Robert Poley, Gilbert Gifford, and Thomas Phelippes, which lead to the execution of the Queen of Scots.
Belkin: In 2003, a non-cryptographic attack was perpetrated by a Belkin wireless network router. Periodically, it would take over HTTP connection being routed through it, fail to pass the traffic onto the destination, and respond as the intended server. In the reply it sent, it would replace the web page the user requested with an advertisement for another Belkin product. This issue was later resolved.
DigiNotar: In 2011, a DigiNotar security breach resulted in fraudulent issuing of certificates that were then used to perform man-in-the-middle-attacks.
Nokia: In 2013, Nokia's Xpress Browser was revealed to be decrypting HTTPS traffic giving clear text access to its customers' encrypted traffic.
Equifax: In 2017, Equifax withdrew its mobile phone apps due to man-in-the-middle vulnerability concerns.
How UpGuard Helps Prevent Man-in-the-Middle Attacks
UpGuard's platform can help you understand which of your sites are susceptible to man-in-the-middle attacks and how to fix their vulnerabilities. UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, so you can avoid regulatory fines and protect your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cybersecurity risk assessment processes.