A man-in-the-middle attack is a cyberattack in which the attacker can secretly intercept messages between two or more parties who believe they are communicating with each other. Attackers can then use their position as the “man in the middle” to read this confidential information, even maliciously edit it, or insert their own messages. This can lead to a devastating data breach or the spread of malware throughout an organization’s IT environment.
The MITM attack is a common, yet often overlooked, tactic malicious cyber actors use. In 2019, for example, more than 500 million users of the UC Browser Android mobile app were exposed to an MITM attack because the app downloaded executable code from a third-party server (Gatlan, 2019).
So what is a man-in-the-middle attack, and how can you get started with man-in-the-middle prevention? We’ll answer these questions and more below.
What is a Man-in-the-Middle (MitM) Attack?
MITM attacks are a kind of digital eavesdropping, letting attackers steal sensitive data or even force themselves into the conversation in disguise. They are dangerous precisely because they are intended to be covert: the attacker slips away without the communicating parties being any wiser.
The goal of man-in-the-middle attacks is for the attacker to somehow exploit this privileged eavesdropping stance. Some attackers listen in to conversations to steal login credentials, financial data, or other sensitive personal information. Other attackers use the MITM approach as part of a larger cyberattack, using their position to insert malware to gain access to an IT system or network.
How Do Man-in-the-Middle Attacks Work?
Man-in-the-middle attacks require the existence of a security flaw or vulnerability in an IT environment that can be hijacked and exploited by the attacker. The steps of an MITM attack are as follows:
- Gaining access: The attacker gains access to a private communications channel in some form. The methods of gaining access may include intercepting network traffic, hacking into an unsecured Wi-Fi hotspot, or exploiting vulnerabilities in web applications.
- Listening in: Once MITM attackers have access, they begin the attack by exfiltrating the private messages and data that is sent back and forth within the channel. This may be done simply by eavesdropping on communications or establishing a fake website or server that intercepts users’ messages.
- Exploiting: Sophisticated MITM attacks may also insert their messages into the conversation, posing as legitimate entities. For example, they might change the contents of an email or trick users into revealing their financial details.
- Further attacks: The attacker may use the knowledge gained during an MITM attack to further assault the target. Employees’ login credentials, for example, can be used to enter an IT environment and cause additional damage or disruption.
Types of Man-in-the-Middle Attacks
There are many different types of man-in-the-middle attacks, making it essential for businesses to recognize all the warning signs. Security researchers have discovered potential MITM attacks targeting Internet routers, real-time locating system (RLTS) technology, and even smartwatches for children.
Below are just a few ways for cybercriminals to commit MITM attacks:
- Wi-Fi eavesdropping: Attackers may hack into unsecured Wi-Fi networks or set up a malicious Wi-Fi hotspot to view users’ communications. For example, an attacker may establish a Wi-Fi hotspot with the name of a nearby business, tricking users into connecting.
- IP spoofing: Attackers might change the Internet Protocol (IP) address of a website, server, or device. This causes users to believe that they are interacting with a legitimate entity when they are, in fact, communicating with a malicious attacker.
- DNS spoofing: Attackers can also spoof or “poison” a Domain Name System (DNS) cache, causing legitimate user traffic to be redirected to fake websites. This requires attackers to exploit vulnerabilities in DNS servers or trick users into downloading malware that changes their DNS settings.
- ARP cache poisoning: Attackers can manipulate the Address Resolution Protocol (ARP) cache for users on the same local network. The ARP cache can be “poisoned” with fake MAC address data of other devices on the network, letting the attacker impersonate legitimate entities and eavesdrop on communications.
- Session hijacking: Attackers can exploit a legitimate user’s current website session or browser cookies, taking over their identity. This allows them to steal users’ confidential data or hack into their financial accounts.
Man-in-the-Middle Attack Examples
Some real-life MitM attack examples that posed serious repercussions are highlighted below:
The Lenovo Superfish Adware MitM Attack (HTTPS Spoofing): One of the famous man-in-the-middle attack examples is the Lenovo adware attack, where computers from this brand were shipped with pre-installed Superfish Visual Search adware, making users the potential targets for MitM attacks (CISA, 2016). The software installed a self-signed root certificate on the user’s device, allowing the software to intercept a user’s encrypted web traffic and inject its own ads.
The DigiNotar MitM Attack (SSL Hijacking): The disastrous effects of the DigiNotar breach incident in 2011 finally prompted the company to declare bankruptcy after failing to withstand the hit. An issuer of digital certificates, DigiNotar, a Dutch company, faced a breach in July where the intruder tricked the company into issuing 500 fake digital certificates for top companies like Google, Mozilla, and Skype. The hacker claimed to have compromised four additional certificate authorities in addition to DigiNotar. He described himself as a 21-year-old Iranian student (Zetter, 2011).
How Can You Detect Man-in-the-Middle Attacks?
Because they are intended to be hidden by design, detecting man-in-the-middle attacks can be challenging. The ways to detect that you’ve fallen victim to an MITM attack include:
- Looking for unexpected communication: If you notice strange or unexpected things about the messages you receive (e.g., their content or timing), this could indicate that you are communicating with an MITM attacker.
- Scanning network traffic: Network monitoring and packet analysis tools such as tcpdump and Wireshark can help search for anomalies in the traffic in your IT environment.
- Verifying SSL/TLS certificates: Checking SSL certificates and other authentication protocols can verify that users communicate with the correct entity.
- Installing antimalware software: Antimalware and antivirus software can help detect the presence of unauthorized applications and code that has been injected by an MITM attacker.
Man-in-the-Middle Attack Prevention Best Practices
While attackers have no shortage of techniques in their MITM toolbox, their would-be targets aren’t totally helpless. Below are some best practices for man-in-the-middle prevention for individuals, organizations, and website operators:
- Using VPNs and encryption: Virtual private networks (VPNs) are encrypted channels that allow users to securely connect to the Internet and exchange sensitive data. In general, using encryption to protect information both in transit and at rest is an excellent practice to thwart MITM attacks.
- Avoiding public Wi-Fi hotspots: Malicious Wi-Fi hotspots are a favorite tactic of MITM attackers. Users should only connect to trusted Wi-Fi networks with up-to-date encryption protocols such as WPA3.
- Using secure connections: Website visitors should verify that they are using an HTTPS secure connection (and not merely HTTP). Most browsers have a visual indication of an HTTPS connection with a padlock icon in the address bar.
- Enforcing strong passwords and multi-factor authentication: Many MITM attacks occur when the attacker can breach an IT system’s defenses and impersonate a legitimate user. Requiring users to have strong passwords and use multi-factor authentication (MFA) to verify their identities makes it much harder for MITM attackers to take this approach.
If you are interested in learning how to recognize and thwart MITM attacks and other types of cyberattacks, visit the C|PENT (Certified Penetration Testing Professional) program. The certification includes both theoretical and practical modules about detecting vulnerabilities across the IT environment, from networks and web applications to the cloud and Internet of Things (IoT) devices.
(Gatlan, S). (2019, October 17). 500+ Million UC Browser Android Users Exposed to MiTM Attacks. Again. (2019). BleepingComputer. https://www.bleepingcomputer.com/news/security/500-million-uc-browser-android-users-exposed-to-mitm-attacks-again/
About the Author
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.