What is a Man in the Middle Attack? (and How To Protect Yourself)
A man-in-the-middle (MitM) attack occurs where an attacker injects themselves into ongoing communication between two users. Here, the bad actor stations themselves between the two points and intercept the messages, either altering them and sending the altered message to the other side or simply intercepting the message for malicious use later.
The attacker could be active or passive. They are active when they impersonate any of the communication parties and change the communication. As a passive attacker, they simply intercept the messages. In any of the two cases, however, your secrets get exposed. Thus, when an attack is underway, a hacker could carry out any number of activities, including but not restricted to identity theft, password change, and even fund theft. Beyond that, MitM attacks can also be the precursor to other more sophisticated infiltrations. This is because this attack can give a hacker inroads into a secured perimeter, enabling attacks.
Man-in-the-middle attacks are not as common as phishing or ransomware attacks, but they are more coordinated. Such attacks can leave you vulnerable to a lot of risks if you do not take care.
Stages of a Man-in-the-Middle Attack
Generally, a man-in-the-middle attack takes two distinct stages. They are:
Here, the attacker establishes their own connection and stops the message flowing from one end to the other. Meanwhile, neither of the legitimate parties on the network is aware of the interloper. Thus, they will be unaware that certain aspects of their communication may have been compromised.
One of the easiest ways attackers carry out this stage of the MitM attack is through creating free but malware-infested WiFi hotspots. This is usually in public places such as cafes and libraries. When unsuspecting users connect to any of such hotspots, the attacker gains free access to their data. Hence, such a bad actor can alter communication coming from the victim’s device. Other popular techniques also employed at this stage include IP spoofing, ARP spoofing, and DNS spoofing.
Here, the interloper has to unravel the two-way SSL traffic without alerting the user.
Here are some of the techniques attackers employ.
Sniffing refers to the techniques hackers employ to access packets that routinely ought to be hidden from them. The popular method they employ here is special wireless devices. These devices can go into promiscuous or monitoring mode, empowering the attacker to break through the barriers to access packets.
The attacker injects a totally different packet into the communication process apart from just intercepting the packets. Sniffing usually precedes the injection, and the injected packets appear to be an organic part of the process while tampering with the communication.
This occurs where an attacker hijacks a temporary session token and uses it to log in like a regular user. Typically, a web application generates session tokens for users looking to log in. This prevents the user from typing in their password every time they need to access the web browser application. In a session hijacking, the attacker deciphers the session token and logs in as though they are the actual users.
In this situation, the attacker creates fake authentication keys and shares these both with the user and the application. This typically occurs during a TCP handshake. This will trick both legitimate parties into thinking they are on a secure connection while the reverse is the case. The attacker will then gain access.
This occurs in scenarios where the attacker strips the HTTPS of the ‘s’. The man-in-the-middle downgrades the HTTPS to an HTTP without the knowledge of the user. To do this, the attacker intercepts the authentication keys the application sends to the user. In return, the attacker then sends an unsecured version of the application’s site to the user. If the user does not become aware of this soon, they will be carrying out interactions with the attacker with the HTTPS protection stripped.
This has been explained earlier. Here, the attacker either creates an unsecured WiFi connection. Alternatively, they create a WiFi connection with popular names. This tricks people into letting down their guards and connecting to such networks. When users do, the attacker steals whatever information is sent over the network.
Types of Man-in-the-Middle Attacks
There are several man-in-the-middle attack models. Unfortunately, several new ones keep cropping up by the day. Here is a list of some of the popular types.
ARP stands for Address Resolution Protocol. In a Local Area Network (LAN), a communication host relies on the ARP to resolve IP addresses to physical Media Access Control (MAC) addresses. However, in some cases, the MAC address may be unknown. In such cases, the host makes a request from the device with the existing IP address.
An attacker could respond to any such request and provide its own MAC address instead. It can then position its packets to intercept the traffic between the two hosts. This is an incredible way to access private information, including session tokens and so on.
DNS (Domain Name System) spoofing closely resembles ARP spoofing because while an ARP resolves IP addresses to MAC addresses, DNS resolves domain names to IP addresses. Basically, the DNS links the domain name to the string of numbers that direct user traffic in the right direction. In DNS spoofing, the attacker introduces corrupt DNS cache data to a host, hijacking the communication in the process.
Short for Hypertext Transfer Protocol Secure, HTTPS should indicate the security of whatever website one connects to. Websites with HTTPS preceding their names are ordinarily supposed to be secure. However, an attacker takes advantage of this in a MitM attack.
Here, they will create websites with the HTTPS identifier, seemingly with valid authentication but then insert tiny, often-overlooked differences. Usually, this would be an imitation of a popular or existing website. The attacker then tricks a random user into visiting this site, thinking it is the authentic one (this is usually through phishing attacks). Once the user visits this fake website and communicates on it, the attacker intercepts the communication and alters it in the process, too.
How To Detect Man-in-the-Middle Attacks
MitM attacks are usually hard to decipher. This is because they do not occur in ways that will cause alarm bells to start ringing in the head of the regular internet user. Nevertheless, here are some of the sure signs to explore:
If some address in your browser address bar looks strange, you need to make a double-take and confirm its authenticity. As mentioned elsewhere, some hijackers can create lookalike websites of popular sites. Thus, when anything looks off, it will be best to pause and confirm its identity.
Unknown Public WiFis
Generally, it is advisable not to connect to public WiFi. You will be unable to control what goes on there and who can access your data. However, if you must, pay particular attention to public WiFi networks that appear strange.
If you get frequently logged out of your account, that could be a sign that a hacker is trying to get in. An attacker could forcefully log you out of your account to trick you into inputting your login credentials. Thus, take note when you experience frequent interruptions in quick succession.
How To Prevent Main-in-the-Middle Attacks
It is usually better to prevent MitM attacks than it is to handle them when they arise. Here are some of the tips you can employ:
Use a VPN
A VPN (short for Virtual Private Network) creates a secure tunnel for your traffic. Thus, no one will be able to intercept or interfere with your data as it goes from sender to receiver. More so, your data gets encrypted. Thus, even if a hacker intercepts the data, it will be useless because of the encryption.
Create Strong Wireless Access Points (WAP) Encryptions
It is important to implement strong Wireless Access Point encryption to prevent an attacker from infiltrating your network. An attacker can use brute force to force their way onto your network if the encryption is weak. Thus, apart from ensuring that encryption exists, it is important to make sure that they are strong.
Create Strong Router Login Passwords
As a rule of thumb: never use the default router login credentials your device comes with. Always make sure you change the default to something relatively strong. If a hacker accesses your router login password, they could swap your DNS server to theirs or could even infect your server with malware.
Install Browser Plugins
You can also install plug-ins to enforce using HTTPS at all times. HTTPS guarantees your security when you visit some websites. A plug-in enforces using HTTPS on requests even when a website has an HTTP alternative.
MitM attacks are some of the unfortunate realities of today’s internet world. They are hard to detect and address. Thus, it is advisable to find ways to prevent them from arising at all. This article addresses all you need to know.