What is a Man in the Middle (MitM) Attack?

A man-in-the-middle (MitM) attack is a leading cyber threat that gets its name from the fact that an attacker inserts themselves between two communicating parties. If all communications pass through the attacker en route to their destination, this creates the potential for the attacker to drop, read, or modify messages before they reach the intended recipient.

Read the Security Report Free Security Checkup

What is a Man in the Middle (MitM) Attack?

How Man in the Middle (MitM) Attack Works

To perform a MitM attack, the attacker needs to accomplish two goals. First, they need to insert themselves into the communication in a way that enables them to intercept traffic en route to its destination. Some of the ways in which an attacker could accomplish this include:

  • Malicious Wi-Fi: All W-Fi traffic flows through a wireless access point (AP), so an attacker who controls a wireless AP and can trick users into connecting to it can intercept all of their traffic.
  • ARP Spoofing: The Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses. By using fake ARP messages, an attacker maps the target’s IP address to their MAC address, causing the target’s traffic to be sent to them instead.
  • DNS Spoofing: The Domain Name System (DNS) maps domain names to IP addresses. Poisoning a DNS cache with fake DNS records can cause traffic to the target domain to be routed to the attacker’s IP address.
  • BGP Hijacking: The Border Gateway Protocol (BGP) is used to identify the autonomous system (AS) with the best route to a particular IP address. BGP hijacking involves advertising a fake route to cause certain traffic to flow through the attacker’s systems.

Once in the middle of a communication, the attacker needs to be able to read the messages; however, a significant percentage of internet traffic is encrypted using SSL/TLS. If traffic is encrypted, then reading and modifying the messages requires the ability to spoof or break the SSL/TLS connection.

This can be accomplished in a few different ways. If an attacker can trick the user into accepting a fake digital certificate for a site, then the attacker would be able to decrypt the client’s traffic and read or modify it before sending it on to the server. Alternatively, an attacker can break the security of the SSL/TLS session using SSL stripping or downgrade attacks.

Examples of Man-in-the-Middle Attacks

MitM attacks can be carried out in various ways, which depend on the protocol being attacked and the attacker’s goal. For example, performing a MitM attack is easier when the communication stream is unencrypted and when the attacker is naturally located on the route that the target traffic will take.

Scenario 1: Vulnerable IoT/Mobile Application

The average user has been educated on how to determine if their web browsing session is encrypted based on the https and lock icon in the URL bar. However, verifying that data streams are encrypted is more difficult with mobile applications and Internet of Things (IoT) devices. It is not uncommon for these to have poor security and to use unencrypted protocols, such as Telnet or HTTP, to communicate.

If this is the case, then an attacker can easily read and potentially modify the data flowing between the mobile app or IoT device and the server. By using a wireless access point or some form of spoofing, the attacker can interject themselves into the communication stream so that all traffic flows through them. Since these protocols lack built-in checks for data integrity or authenticity, the attacker can change the contents of the traffic at will.

Scenario 2: Fake Digital Certificates

SSL/TLS is designed to protect against MitM attacks by providing confidentiality, integrity, and authentication to network traffic. However, it relies on the user only accepting valid digital certificates for a particular domain. If the attacker can trick the user into visiting a phishing site, convince them to accept a fake certificate, or compromise the digital certificate that a company uses for SSL inspection, then these protections are broken.

In this scenario, the attacker maintains two separate sessions encrypted with SSL/TLS. In one, it connects to the client while masquerading as the server and using its fake SSL certificate. In the other, it poses as a client connecting to the legitimate server. Since the attacker controls both sessions, they can decrypt data from one session, inspect and modify it, and re-encrypt it for the other session.

Man-in-the-Middle Attack Prevention

MitM attacks depend on the attacker being able to intercept and read traffic. Some Internet security best practices to prevent this include:

  • Beware of Public Wi-Fi: Traffic over public Wi-Fi all passes through the AP, which may be under the control of an attacker. Only connect to known and trusted Wi-Fi networks.
  • Use a VPN: Virtual private networks (VPNs) encrypt traffic between a remote user or site and the VPN endpoint. This prevents a MitM attacker from reading or modifying intercepted traffic.

Validate Digital Certificates: A legitimate website should always have a digital certificate that shows up as valid in a browser. Trusting a suspicious certificate could enable a MitM attack.

Protect Against MITM with Check Point

Check Point remote access VPNs can help to protect remote employees against MitM attacks and other cyberattacks. To learn more about the cyber threats that your organization faces, check out the 2022 Cyber Security Report. Then, take the free Security Checkup to learn how your organization can improve its security posture.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.