A man-in-the-middle (MitM) attack is a leading cyber threat that gets its name from the fact that an attacker inserts themselves between two communicating parties. If all communications pass through the attacker en route to their destination, this creates the potential for the attacker to drop, read, or modify messages before they reach the intended recipient.
To perform a MitM attack, the attacker needs to accomplish two goals. First, they need to insert themselves into the communication in a way that enables them to intercept traffic en route to its destination. Some of the ways in which an attacker could accomplish this include:
Once in the middle of a communication, the attacker needs to be able to read the messages; however, a significant percentage of internet traffic is encrypted using SSL/TLS. If traffic is encrypted, then reading and modifying the messages requires the ability to spoof or break the SSL/TLS connection.
This can be accomplished in a few different ways. If an attacker can trick the user into accepting a fake digital certificate for a site, then the attacker would be able to decrypt the client’s traffic and read or modify it before sending it on to the server. Alternatively, an attacker can break the security of the SSL/TLS session using SSL stripping or downgrade attacks.
MitM attacks can be carried out in various ways, which depend on the protocol being attacked and the attacker’s goal. For example, performing a MitM attack is easier when the communication stream is unencrypted and when the attacker is naturally located on the route that the target traffic will take.
The average user has been educated on how to determine if their web browsing session is encrypted based on the https and lock icon in the URL bar. However, verifying that data streams are encrypted is more difficult with mobile applications and Internet of Things (IoT) devices. It is not uncommon for these to have poor security and to use unencrypted protocols, such as Telnet or HTTP, to communicate.
If this is the case, then an attacker can easily read and potentially modify the data flowing between the mobile app or IoT device and the server. By using a wireless access point or some form of spoofing, the attacker can interject themselves into the communication stream so that all traffic flows through them. Since these protocols lack built-in checks for data integrity or authenticity, the attacker can change the contents of the traffic at will.
SSL/TLS is designed to protect against MitM attacks by providing confidentiality, integrity, and authentication to network traffic. However, it relies on the user only accepting valid digital certificates for a particular domain. If the attacker can trick the user into visiting a phishing site, convince them to accept a fake certificate, or compromise the digital certificate that a company uses for SSL inspection, then these protections are broken.
In this scenario, the attacker maintains two separate sessions encrypted with SSL/TLS. In one, it connects to the client while masquerading as the server and using its fake SSL certificate. In the other, it poses as a client connecting to the legitimate server. Since the attacker controls both sessions, they can decrypt data from one session, inspect and modify it, and re-encrypt it for the other session.
MitM attacks depend on the attacker being able to intercept and read traffic. Some Internet security best practices to prevent this include:
Validate Digital Certificates: A legitimate website should always have a digital certificate that shows up as valid in a browser. Trusting a suspicious certificate could enable a MitM attack.
Check Point remote access VPNs can help to protect remote employees against MitM attacks and other cyberattacks. To learn more about the cyber threats that your organization faces, check out the 2022 Cyber Security Report. Then, take the free Security Checkup to learn how your organization can improve its security posture.