A man-in-the-middle attack (MITM attack) is a cyber attack where an attacker relays and possibly alters communication between two parties who believe they are communicating directly. This allows the attacker to relay communication, listen in, and even modify what each party is saying.
Man-in-the-middle attacks enable eavesdropping between people, clients and servers. This can include HTTPS connections to websites, other SSL/TLS connections, Wi-Fi networks connections and more.
Table of contents
- Man-in-the-middle attack example
- Are man-in-the-middle attacks dangerous?
- What is the difference between a man-in-the-middle attack and sniffing?
- Where do man-in-the-middle attacks happen?
- How do man-in-the-middle attacks work?
- What is ARP Spoofing (ARP Cache Poisoning)?
- What is IP Spoofing (IP Address Spoofing)?
- What is DNS Spoofing (DNS Cache Poisoning)?
- What is HTTPS Spoofing (IDN Homograph Attacks or web browser bar spoofing)?
- What is email hijacking?
- What is a man-in-the-browser attack?
- What is Wi-Fi eavesdropping?
- What is SSL Hijacking?
- What is SSL Stripping?
- What is a session hijacking?
- Other methods for man-in-the-middle attacks
- Man-in-the-middle attack detection and prevention
- Notable man-in-the-middle attacks
- How UpGuard helps prevent man-in-the-middle attacks
Imagine you and a colleague are communicating via a secure messaging platform. An attacker wishes to intercept the conversation to eavesdrop and deliver a false message to your colleague from you.
First, you ask your colleague for her public key. If she sends you her public key, but the attacker is able to intercept it, a man-in-the-middle attack can begin.
The attacker sends you a forged message that appears to originate from your colleague but instead includes the attacker's public key.
You, believing the public key is your colleague's, encrypts your message with the attacker's key and sends the enciphered message back to your "colleague".
The attacker again intercepts, deciphers the message using their private key, alters it, and re-enciphers it using the public key intercepted from your colleague who originally tried to send it to you.
When your colleague reviews the enciphered message, she believes it came from you.
- You send a message to your colleague, which is intercepted by an attacker
- You "Hi there, could you please send me your key." Attacker Colleague
- Attacker relays the message to your colleague, colleague cannot tell there is a man-in-the-middle
- You Attacker "Hi there, could you please send me your key." Colleague
- Colleague responds with her encryption key
- You Attacker [Colleague's key] Colleague
- Attacker replaces colleague's key with their own, and relays the message to you, claiming that it's your colleague's key
- You [Attacker's key] Attacker Colleague
- You encrypt a message with what you believe is your colleague's key, thinking only your colleague can read it
- You "The password to our S3 bucket is XYZ" [encrypted with attacker's key] Attacker Colleague
- Because message is encrypted with attacker's key, they decrypt it, read it, and modify it, re-encrypt with your colleague's key and forward the message on
- You Attacker "The password to our S3 bucket is ZYX" [encrypted with Colleague's key] Colleague
- Both you and your colleague think the message is secure.
This example highlights the need to have a way to ensure parties are truly communicating with each other's public keys rather than the public key of an attacker. It's not enough to have strong information security practices, you need to control the risk of man-in-the-middle attacks.
Man-in-the-middle attacks are dangerous and generally have two goals:
- Gain access to sensitive data and personal information; and/or
- Manipulate the contents of a transmitted message
In practice this means gaining access to:
- Personally identifiable information (PII) and other sensitive information for identity theft
- Login credentials on a public Wi-Fi network to gain unauthorized access to online bank accounts
- Stealing credit card numbers on an ecommerce site
- Redirecting traffic on public Wi-Fi hotspots from legitimate websites to sites hosting malware
Common targets for MITM attacks are websites and emails. Emails by default do not use encryption, enabling the attacker to intercept and spoof emails from the sender with only their login credentials.
Due to the nature of Internet protocols, much of the information sent to the Internet is publicly accessible. When you connect to a local area network (LAN), every other computer can see your data packets.
When an attacker is on the same network as you, they can use a sniffer to read the data, letting them listen to your communication if they can access any computers between your client and the server (including your client and the server).
In a man-in-the-middle attack, the attacker fools you or your computer into connecting with their computer. This makes you believe that they are the place you wanted to connect to. Then they connect to your actual destination and pretend to be you, relaying and modifying information both ways if desired. This is a much bigger cybersecurity risk because information can be modified.
As cybersecurity trends towards encryption by default, sniffing and man-in-the-middle attacks become more difficult but not impossible. Attackers can use various techniques to fool users or exploit weaknesses in cryptographic protocols to become a man-in-the-middle. A secure connection is not enough to avoid a man-in-the-middle intercepting your communication.
There are many types of man-in-the-middle attacks but in general they will happen in four ways:
- Public networks: You are at the most risk when you connect to any public network. This means public Wi-Fi connections at airports or cafes, any network with no access restrictions. It is easiest for an attacker to become a man-in-the-middle because a lot of techniques work best on local area networks and Wi-Fi networks.
- On your computer: You could install malware that monitors and modifies your Internet connection (like a man-in-the-browser) or suffer from a phishing attack hijacks your connection by luring you to sites that act as the man-in-the-middle.
- Router: Routers are often supplied by your Internet service provider and have default security settings. This means a lot of routers have the default login credentials (such as admin/password) or have outdated firmware that could have a known vulnerability.
- Web server: Attacker gains access to the genuine web server you intended to communicate with.
A man-in-the-middle attack can be divided into three stages:
- Stage one: Obtain access to a location to perform the attack.
- Stage two: Become the man-in-the-middle.
- Stage three: Overcome encryption if necessary.
Once the attacker is able to get in between you and your desired destination, they become the man-in-the-middle. For this to be successful, they will try to fool your computer with one or several different spoofing attack techniques.
ARP (or Address Resolution Protocol) translates the physical address of a device (its MAC address or media access control address) and the IP address assigned to it on the local area network.
An attacker who uses ARP spoofing aims to inject false information into the local area network to redirect connections to their device.
Imagine your router's IP address is 188.8.131.52. To connect to the Internet, your laptop sends IP (Internet Protocol) packets to 184.108.40.206. To do this it must known which physical device has this address. The router has a MAC address of 00:0a:95:9d:68:16.
Here's how ARP spoofing happens:
- Attacker injects false ARP packets into your network.
- The ARP packets say the address 220.127.116.11 belongs to the attacker's device with the following MAC address 11:0a:91:9d:96:10 and not your router.
- The ARP cache stores false information associating the IP 18.104.22.168 with MAC 11:0a:91:9d:96:10.
- Your laptop now aims to connect to the Internet but connects to the attacker's machine rather than your router.
- The attacker's machine then connects to your router and connects you to the Internet, enabling the attack to listen in and modify your connection to the Internet.
IP spoofing is when a machine pretends to have a different IP address, usually the same address as another machine. On its own, IP spoofing isn't a man-in-the-middle attack but it becomes one when combined with TCP sequence prediction.
Generally Internet connections are established with TCP/IP (Transmission Control Protocol / Internet Protocol), here's what happens:
- When two devices connect to each other on a local area network, they use TCP/IP.
- To establish a session, they perform a three-way handshake.
- During a three-way handshake, they exchange sequence numbers.
- Sequence numbers allow recipients to recognize further packets from the other device by telling them the order they should put received packets together.
In an IP spoofing attack, the attacker first sniffs the connection. This is easy on a local network because all IP packets go into the network and are readable by the devices on the network. The attacker learns the sequence numbers, predicts the next one and sends a packet pretending to be the original sender. If the packet reaches the destination first, the attack can intercept the connection.
Image an attacker joins your local area network with the goal of IP spoofing:
- Attacker joins your local area network with IP address 22.214.171.124 and runs a sniffer enabling them to see all IP packets in the network.
- Attacker wants to intercept your connection to the router IP address 126.96.36.199, they look for packets between you and the router to predict the sequence number.
- At the right moment, the attack sends a packet from their laptop with the source address of the router (188.8.131.52) and the correct sequence number, fooling your laptop.
- At the same time, the attacker floods the real router with a DoS attack, slowing or disabling it for a moment enabling their packets to reach you before the router's do.
- Your laptop is now convinced the attacker's laptop is the router, completing the man-in-the-middle attack.
ARP spoofing and IP spoofing both rely on the attack being connected to the same local area network as you. With DNS spoofing, an attack can come from anywhere.
The good news is that DNS spoofing is generally more difficult because it relies on a vulnerable DNS cache. The bad news is if DNS spoofing is successful, it can affect a large number of people.
DNS (Domain Name System) is the system used to translate IP addresses and domain names e.g. example.com. The system has two primary elements:
- Nameservers (DNS servers): Nameservers are the source of authoritative information and are usually stored on two or three servers for each domain e.g. the IP address for example.com is stored on a.iana-servers.net and b.iana-servers.net. If every client that wanted to connect to example.com connected to a.iana-servers.net and b.iana-servers.net to get to example.com, the servers would be overloaded. This is why we use local resolvers to cache information. If resolver does not have the IP address cached, it will contact the nameservers and save the IP address.
- Resolvers (DNS caches): A temporary database maintained by a computer's operating system that contains records of all recent visits and attempted visits to websites and other Internet domains.
Here is an example of DNS spoofing:
- Attacker knows you use 184.108.40.206 as your resolver (DNS cache).
- Attack also knows that this resolver is vulnerable to poisoning.
- Attacker poisons the resolver and stores information for your bank's website to their a fake website's IP address
- When you type in your bank's website into the browser, you see the attacker's site
- Attacker connects to the original site and completes the attack.
Web browser spoofing is a form of typosquatting where an attacker registers a domain name that looks very similar to the domain you want to connect to. Then they deliver the false URL to use other techniques such as phishing.
The Google security team believe the address bar is the most important security indicator in modern browsers. It provides the true identity of a website and verification that you are on the right website.
One example of address bar spoofing was the Homograph vulnerability that took place in 2017. It exploited the International Domain Name (IDN) feature that allows domain names to be written in foreign characters using characters from various alphabets to trick users.
For example, xn--80ak6aa92e.com would show as аррӏе.com due to IDN, virtually indistinguishable from apple.com. This has since been packed by showing IDN addresses in ASCII format.
Email hijacking is when an attacker compromises an email account and silently gathers information by eavesdropping on email conversations. Email hijacking can make social engineering attacks very effective by impersonating the person who owns the email and is often used for spearphishing.
A man-in-the-browser attack exploits vulnerabilities in web browsers like Google Chrome or Firefox. Trojan horses, worms, exploits, SQL injections and browser add-ons can all be attack vectors.
The goal is often to capture login credentials to financial services companies like your credit card company or bank account. When you log into the site, the man-in-the-browser captures your credentials and may even transfer funds and modify what you see to hide the transaction.
If you've ever logged into a public Wi-Fi access point at a coffee shop or airport, you may have noticed a pop-up that said "This network is not secure".
Unencrypted Wi-Fi connections are easy to eavesdrop. Think of it as having a conversation in a public place, anyone can listen in. You can limit your exposure by setting your network to public which disables Network Discovery and prevents other users on the network from accessing your device.
Another example of Wi-Fi eavesdropping is when an attacker creates their own Wi-Fi hotspot called an Evil Twin.
They make the connection look identical to the authentic one, down to the network ID and password, users may accidentally or automatically connect to the Evil Twin allowing the attacker to eavesdrop on their activity.
SSL hijacking is when an attacker intercepts a connection and generates SSL/TLS certificates for all domains you visit. They present the fake certificate to you, establish a connection with the original server and then relay the traffic on.
This only works if the attacker is able to make your browser believe the certificate is signed by a trusted Certificate Authority (CA). Otherwise your browser will display a warning or refuse to open the page.
Here's how SSL Hijacking works:
- Attacker uses a separate cyber attack to get you to download and install their CA.
- When you visit a secure site, say your bank, the attacker intercepts your connection.
- Attacker generates a certificate for your bank, signs it with their CA and serves the site back to you.
- Your browser thinks the certificate is real because the attack has tricked your computer into thinking the CA is a trusted source.
- Attacker establishes connection with your bank and relays all SSL traffic through them.
SSL hijacking can be legitimate. For example, parental control software often uses SSL hijacking to block sites.
SSL Stripping or an SSL Downgrade Attack is an attack used to circumvent the security enforced by SSL certificates on HTTPS-enabled websites.
In layman's terms, when you go to website your browser connects to the insecure site (HTTP) and then is generally redirected to the secure site (HTTPS).
If the website is available without encryption, an attacker can intercept your packets and force an HTTP connection that could expose login credentials or other sensitive information to the attacker.
The risk of this type of attack is reduced as more websites use HTTP Strict Transport Security (HSTS) which means the server refuses to connect over an insecure connection.
Older versions of SSL and TSL had their share of flaws like any technology and are vulnerable to exploits.
Session hijacking is a type of man-in-the-middle attack that typically compromises social media accounts. Most social media sites store a session browser cookie on your machine. This cookie is then invalidated when you log out but while the session is active, the cookie provides identity, access and tracking information.
There are more methods for attackers to place themselves between you and your end destination. These methods usually fall into one of three categories:
- Server compromise: The attacker gains control to the server you want to connect to and places their own software on the server to intercept connections.
- Client compromise: Attacker gains access to your machine and installs a trojan horse or other form of malware that allows them to listen in on all your connections.
- Communication compromise: Attacker takes over a machine that routes information between you and the server.
There are many types of man-in-the-middle attacks and some are difficult to detect. The best countermeasure against man-in-the-middle attacks is to prevent them.
While it is difficult to prevent an attacker from intercepting your connection if they have access to your network, you can ensure that your communication is strongly encrypted.
Here are some general tips you can follow:
- Virtual Private Network (VPN): VPNs encrypt your web traffic limiting an attacker's ability to read or modify communication.
- Network intrusion detection system (NIDS): NIDS are placed at strategic points within a network to monitor traffic to and from all devices on the network. It performs analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified or abnormal behavior is found, an alert can be sent to a cybersecurity professional.
- Firewall: A strong firewall can prevent unauthorized access.
- Antivirus and antimalware: Install an antivirus and antimalware software package that includes a scanner that runs on your system boot to prevent man-in-the-middle attacks that rely on malware.
- Two-factor authentication: A good way to prevent email hijacking is to use two-factor authentication that requires an additional vector of authentication beyond your password.
- Understand common phishing scams: Phishing emails are a common attack vector, only download email attachments when you know they are from the person you believe they are, pick up the phone and ask if you are unsure.
- Sign out: Avoid session hijacking by signing out of any unused accounts to invalidate session cookies.
- Think about what you install: Only install browser add ons and software if you know they are from a reputable source.
- Force encryption: Avoid sharing any sensitive information on sites without HTTPS
- Install HTTPS Everywhere: It's a Chrome security extension that forces SSL connection wherever possible.
- Use a password manager: It should avoid auto-filling passwords on nefarious sites.
- Avoid public Wi-Fi networks: If you must use public Wi-Fi configure your device to require manual connection.
- Patch software and hardware: Keep your tools up to date to avoid man-in-the-middle attacks that exploit known vulnerabilities.
- Use secure DNS servers (DNS cache): Make sure the DNS servers (DNS cache) you use is secure.
- Application security: If you have a website or application, regularly scan for vulnerabilities and resolve issues.
- The Babington Plot: In 1586 there was a plan to assassinate Queen Elizabeth I and put Mary, Queen of Scots on the English throne. Communications between Mary, Queen of Scots and her co conspirators was intercepted, decoded and modified by Robert Poley, Gilbert Gifford and Thomas Phelippes, leading to the execution of the Queen of Scots.
- Belkin: In 2003, a non-cryptographic attack was perpetrated by a Belkin wireless network router. Periodically, it would take over HTTP connection being routed through it, fail to pass the traffic onto the destination and respond as the intended server. In the reply it sent, it would replace the web page the user requested with an advertisement for another Belkin product. This "feature" was later removed.
- DigiNotar: In 2011, a DigiNotar security breach resulted in fraudulent issuing of certificates that were then used to perform man-in-the-middle-attacks.
- Nokia: In 2013, Nokia's Xpress Browser was revealed to be decrypting HTTPS traffic giving clear text access to its customers' encrypted traffic.
- Equifax: In 2017, Equifax withdrew its mobile phone apps due to man-in-the-middle vulnerability concerns.
Our platform can help you understand which of your sites are susceptible to man-in-the-middle attacks and how to fix the vulnerabilities. UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.