7 important truth on Man in the middle attack

7 important truth on Man in the middle attack


Wanna know all the stuff you need to know about Man in the middle(MITM) attack? including the basic concepts, types, prevention, etc. If your answer is yes, I suggest you read further.



This particular topic is one of the most asked cyber-security questions on the net. Just like most search terms, I'm gonna break it this way;


  1. What is Man in the middle attack?
  2. How does it work?
  3. Typical example
  4. Real life instances
  5. Different forms of MITM attack?
  6. What are the types of MITM attack?
  7. How do I prevent a MITM attack?

To better understand this concept, you'll be reading this from a victim's perspective rather than the attacker. Pay attention!


1. What is Man in the middle attack?

A man-in-the-middle attack is a known cybercrime where a malicious actor secretly inserts himself into an online conversation between two individuals(sometimes more), impersonates both parties involved and accesses information that is being sent by the two parties to one another.

This type of cyber attack basically requires three players to be carried out; the victim, the individual/s the victim is trying to communicate with, and the hacker(Man in the middle), who ’s trying to intercept the victim’s communications with the purpose of getting critical information.

7 important truth on Man in the middle attack


Note that the victim in this scenario isn’t aware of the man in the middle.

A practical example of a MITM attack is active eavesdropping. In this example, the hacker attempts independent links with the victims and conveys messages between them, making them think they're communicating directly with each other over a secure private connection, when in truth, the whole conversation is being controlled by the attacker.

MITM attack is one of the forms of session hijacking. Other forms similar to a MITM attack are:


  • Sidejacking - This involves sniffing of data packets with the purpose of stealing session cookies and in the process hijack a user’s session. These cookies login information in some cases are unencrypted, even if the website was secure.



  • Evil Twin - This can be called a rogue Wi-Fi network appearing to be from a legitimate network. When a user joins a rogue network, an attacker can launch a MITM attack, thereby intercepting useful data sent between you and the network.



  • Sniffing - This is when a malicious actor uses a readily available tool or program to intercept data being transmitted from or to your device.


2. How does Man in the middle attack work?

How does this work? what actually happens in the background is that the hacker manages to have some form of control over the network topology thereby being able to insert himself in-between the client and the server.

A befitting example of this is DNS spoofing. The attacker convinces your computer system that www.amazon.com doesn’t map to any of the Amazon server IPs, but to his(the attacker) server IP. The client not knowing what's going on then connects to the attacker instead of Amazon. The hacker can then decide to forward the client’s traffic to Amazon servers or not

Address Resolution Protocol(ARP) is another interesting example. This is used to map a network address to a physical address like a MAC address. An IPv4 address is an example of the network address.
7 important truth on Man in the middle attack
Check out the ARP cache of one’s computer system.
ARP comes with a flaw though, it being that you can't verify that the ARP packet is telling the truth.

Check this out;

The Router asks, “Who and where is 192.168.1.103?”, a system at 192.168.1.105 replies, “192.168.1.103 is at ff:ff:ff:ff:ff:ff (192.168.1.105’s MAC)”. The router doesn't know that this packet is coming from a totally different system. For the router, 192.168.1.103 is 192.168.1.105. This is known as ARP spoofing.

So what basically happens in a man in the middle attack is that the attacker continuously sends ARP packets to the victim claiming that the attacker’s system is the router.
Here, the attacker is sending ARP replies to the victim (192.168.1.17) saying that he's the router. It says 192.168.1.1 is at 8:0:27:f1:77:4e(attackers MAC)
The victim’s computer goes ahead and sends all the packets to the attacker’s computer, all the while thinking it is actually the router and the attacker then forwards those messages to the actual router. Editing and taking the information he needs in the process.

There’s a more complex and sophisticated MITM attack involving Border gateway protocol(BGP) where you can divert the routing to the internet for an entire domain.

3. Typical example?

7 important truth on Man in the middle attack

An example? Let’s say your friend receives an email that seems to be from his bank, encouraging him to sign into his account dashboard to confirm his contact information. 

He clicks on a link(saying maybe click here to sign in) in the email and is redirected to what looks like his bank’s website. Then he signs in and carries out the requested task and in the process unknowingly giving out his info.

In this scenario, the MITM sent your friend the email, making it appear to be legitimately from his bank. This particular attack involves phishing i.e tricking him to click on a link in the email that appears to come from his bank. 



Note that the hacker had to create a replica of your bank's website

Another analogy:

Let's say Debra and Justice are having a conversation online; Mary intends to eavesdrop on the conversation but at the same time remain transparent.

Mary could tell Debra that she is Justice and tell Justice that she is Debra. This would consequently make Debra believe she’s currently texting Justice while revealing her version of the conversation to Debra.

Mary then gathers needed information from the conversation, alter and twist the response,  and pass the message across to Justice (who still thinks he’s having a good talk with Debra). As a result, Mary transparently hijacked their entire conversation.

4. Real life instances of a MITM attack?

Enough of made up scenarios. Let's look at a few real life man in the middle attacks;

7 important truth on Man in the middle attack

  • In 2013, the Browser owned by Nokia Xpress was made known to be decrypting HTTPS traffic on the Nokia's proxy servers, enabling the company to access its customers' encrypted browser traffic. Nokia, however, said that the content was only stored temporarily and they have technical and organizational measures put in place to prevent unwarranted access to private information. cite

  • In 2003, a remarkable non-cryptographic man in the middle attack was carried out by a Belkin wireless network router. Periodically, it hijacks HTTP connections being routed through it to a destination and self-respond as the intended server. After the reply is sent, instead of the of the web page the user requested, was a commercial for a Belkin product. After several complaints from technically literate users, this particular 'feature' was removed from the router's firmware. cite
Other notable mentions are;
  • Comcast uses a man in the middle attacks to inject JavaScript code into 3rd party web pages, displaying their ads on top of the pages. cite

  • NSA impersonation of Google. cite

5. Different forms of Man in the middle attack

MITM attacks are of two forms; one that involves malware, and another that involves physical proximity to the proposed target. The first form, just like the fake bank scenario above, is also referred to as a man in the browser attack.

  • Man in the browser attack

With a MITB attack, the attacker requires a way to inject malicious programme into the victim’s computer system. This can be achieved by conducting a phishing attack.

The malware installs on the browser without the user ’s consent and knowledge. The malware then records the data/information sent between websites and the victim, such as online shops, and forwards it to the attacker.


Going back to the forms of MITM attack. Hackers execute a MITM attack in 2 phases — interception and decryption.

In a traditional man in the middle attack, attackers need access to a vulnerable Wi-Fi router. These types of connections are likely to be found in public places with free Wi-Fi hotspots, and in some cases, in some people’s homes, i.e when they fail to protect their network properly. Attackers will go ahead to scan the router in search for specific vulnerabilities such as a weak password.


Once a vulnerability is found, attackers use some hacking tools to intercept and read the victim’s transmitted data


A successful MITM attack doesn't stop after it intercepts. The victim’s encrypted data needs to be unencrypted, that way, the attacker can read and act upon it.

6. What are the types of man in the middle attack?

IP spoofing 

Each computer online has an internet protocol (IP) address, which is somewhat similar to the street address of your home. By spoofing an IP address(changing the IP), a hacker is able to trick you into thinking you’re interacting with someone or a website you’re not, probably allowing the attacker to have access to sensitive information you’d otherwise not share.

DNS spoofing

Domain Name Server(DNS) spoofing is a type of MITM attack that forces a victim to a fake website instead of the real one the victim intends to visit. Victims of DNS spoofing think they’re visiting a safe, trusted site, instead, they’re unknowingly interacting with a fraudster. Here, the attacker's mission is to divert traffic from the real website and capture user login details.


HTTPS(Hypertext Transfer Protocol Secure) spoofing

When doing online transactions, be on the lookout for “HTTPS” in the website URL, rather than “HTTP”. This shows that the site is secure and trusted. A hacker can trick your browser into believing it’s visiting a secure site when it’s not.


SSL hijacking

If your computer connects to an unsecured server specified by “HTTP”, the server can on its own redirect you to the secure version of the server, specified by “HTTPS.”

Connecting to a secure and trusted server basically means standard security protocols are in order, protecting all the data you have in common with that server.

SSL is short for Secure Sockets Layer, a protocol that sets up encrypted links between the web server and your browser.

In an SSL hijacking, the hacker uses a different computer and a secure server to intercept all the data passing through the server to the user’s computer.


Email hijacking

Attackers can target email accounts of financial institutions like banks. Once access is gained, they are able to monitor transactions between the customers and the institution.

The attackers can then decide to spoof the bank’s email address and email to customers. This convinces the victim to follow the hackers’ instructions instead of the bank’s. As a result, an unwitting victim may end up sending money to the attacker.


Stealing browser cookies

To better grab the concept of a stolen browser cookie, you first need to understand what one is; a browser cookie is simply a  piece of information a website stores on your computer system.

online retailers like Amazon might store the personal info you enter and cart items you’ve selected on a cookie, that way, you need not re-enter same information when you return.

A hacker can steal your browser cookies and gain access to sensitive information.

7. How do I protect my system from a MITM attack?

7 important truth on Man in the middle attack


Strong WEP/WAP Encryption on Access Points

Having a very strong encryption mechanism on wireless access points(WAP) helps prevent unwanted persons from connecting to your network. A somewhat weak encryption mechanism allows a hacker to easily brute-force his way into a network and starts MITM attacking. 

The stronger the encryption, the safer.


Virtual Private Network

VPNs is used to create a secure browsing environment for information within a LAN(local area network). They create a subnet using key-based encryption for secure communication. If this is done properly, the attacker will not be able to decipher the traffic in the VPN even if he happens to get on a network that is shared.


Force HTTPS

HTTPS is used to safely communicate over HTTP with the help of public-private key exchange. This helps prevent an attacker from making sense from the data he may be sniffing. 

Webmasters should not provide HTTP alternatives.


Public Key Pair Based Authentication

A man in the middle attack involves spoofing something. RSA public key pair authentication can be used in numerous layers of the stack in ensuring that the people or website you are in communication with are actually the people you want to be communicating with.



Summary

It is all scary from a victim's perspective of man in the middle (MITM) attack. Sometimes times the fear is due to knowing little or no info on the topic. 

After reading through this, most users might panic with the knowledge that they have been keeping their devices vulnerable and might have fallen victim to an attack. The best thing to do in such a scenario is to keep calm.


Join us on facebook if you appreciate this post.

2 comments:

  1. Last week was the first time I ever heard about MITM attacks because one of my coworkers opened an e-mail, that he thought is from a customer. He opened a link and accidentally send a bunch of company money to the attacker. After that, we had a lecture about this kind of things and how to avoid them. The main suggestion was to use Nordvpn security provider in all the cases. So we started using it, and I hope that from now we won’t have any similar problems.

    ReplyDelete
    Replies
    1. Hope your coworker didn't get in trouble. Any good VPN is preferable to none. Thanks for stopping by Fredric.

      Delete