man in the middle attack

Man-in-the-Middle (MITM) Attacks: Explained

Sam Metzler Data Breach, Security Threats

Man-in-the-Middle (MITM) Attacks: Explained

If you’ve ever watched this scene from Spongebob Squarepants, then you have a basic understanding of a man-in-the-middle (MITM) attack.

How Does a Man-in-the-Middle Attack Work?

The attacker sets up rogue hardware pretending to be a trusted network, namely Wi-Fi, in order to trick unsuspecting victims into connecting to it and sending over their credentials. MITM attacks can happen anywhere, as devices connect to the network with the strongest signal, and will connect to any SSID name they remember.

MITM attacks take advantage of an unsecured or misconfigured Wi-Fi network. The most common way is spoofing an SSID. The attacker will set up near the target network, usually in busy places with open Wi-Fi, like a coffee shop. The rogue access point is deployed and the SSID (Wi-Fi name) is “spoofed”, meaning the attacker creates a name similar to the legitimate SSID.

What Makes Man-in-the-Middle Attacks So Dangerous?

MITM attacks can cause so much damage because they can slip into a network undetected, farm private data, and leave before anyone suspects anything. Devices connect to the strongest signal so if someone’s not paying attention, their device can connect with the fake SSID and their passwords will get stolen. MITM attacks can be discovered and stopped, but the attacker can still get away the data already stolen.
Businesses that fall victim to MITM attacks can lose credibility with customers and have to spend time and resources fixing the problem. The IT department will now be in hot water by allowing this attack to occur. Businesses that are victimized by cyber attacks have a 60% chance of going bankrupt in as little as 6 months. Many MITM attacks succeed because of the insecure network.

How Common are Man-in-the-Middle Attacks?

Man-in-the-Middle attacks are incredibly common primarily because it’s an easy attack vector. According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves Man-in-the-Middle Attacks. One of the prime reasons that MITM have become such a common attack vector is that Wi-Fi is a vulnerable technology. If you’ve connected to the Wi-Fi “Coffee Shop” anytime your device sees any Wi-Fi name “Coffee Shop”, it will automatically send it’s password to the SSID. This makes it super easy for hackers to spoof SSIDs and harvest credentials, and is why MITM attacks are so common.

man-in-the-middle attacks

Types of Man-in-the-Middle Attacks

Man-in-the-middle attacks can be categorized between ‘interception’ and ‘decryption’ because all MITM attacks consist of intercepting data packets and encrypting that data to gain access to the network and all the private data.

Interception

ARP Spoofing

Address Resolution Protocol Spoofing connects an attacker’s MAC address with a legitimate IP address. This connection happens when the hacker sends a fake ARP message over the LAN. The hacker can then start funneling all the data that was intended to reach the legitimate IP address.

DNS Spoofing

Domain Name Server Spoofing involves the hacker sets up a fake website mimicking a genuine one and redirects traffic to the fake. An unsuspecting user will land on the fake page and input their credentials, sending them right to the hacker.

IP Spoofing

Network computers and devices often communicate by transmitting IP data packets and these packets consist of important information, like source address. The trick is to modify the source address so a computer will think it’s connecting to a legitimate IP address, when it’s actually connecting the hacker’s software.

Wi-Fi Eavesdropping

Wi-Fi Eavesdropping is a common type of MITM attack that takes advantage of open, unsecured Wi-Fi. A hacker sets up a malicious network with a boosted signal spoofing the legitimate SSID. Many devices automatically connect to the spoofed SSID and the hacker is able to steal the data and access login credentials.

Decryption

HTTPS Spoofing

Since HTTPS protocol is able to stop spoofing, hackers have created a type of attack where they register domain names mimicking popular domain sites and send links to their victims, exploiting a vulnerability in the address bar. The victim will then connect to the rogue web site and become exposed to credential theft.

SSL Stripping

The HTTPS protocol is a strong security measure that’s been able to stop MITM attacks. This led to a new form of attack that involves infiltrating an online exchange, intercepting a secure HTTPS from a server or web browser, denigrating HTTPS to HTTP, and connecting to the other party. Now, the hacker has entire control over the connection and farms the data.

hacking-mitm

What Happens If You’re Caught in a MITM Attack?

There are several signs to tell if you have become a victim, including suspicious looking captive portals, pop ups, software updates, and error messages. Really, it’s anything that will get you to input your credentials.

What is a Man-in-the-browser (MITB) Attack?

A Man-in-the-browser attack involves the hacker compromising a web browser in order to eavesdrop on a secure online connection. The point of this attack is to trick victims into downloading malware from the browser, whether through a phishing attack or a trojan horse. The victim will click on the URL and the malware will be downloaded onto the device, unbeknownst to the victim.

Can You Stop a MITM Attack?

It’s difficult to catch a MITM attack in the act, which is why they’re so dangerous. However, if you happen to notice one is still happening the best measures to stop one from getting any more information are:

  • Removing your Wi-Fi Connection
  • Switch your connection to a secure VPN (if applicable)
  • Remove the root or intermediate CA from the network (if applicable)

What Procedures Can Prevent Man-in-the-Middle Attacks?

There are several ways you can protect your network, and we’ve rated their security measures here. The most secure method is configuring your devices with certificates and authenticating with EAP-TLS. Certificates function as a unique identifier and can be locked onto devices and servers to be easily identifiable. Certificates are encrypted, so an admin can input all user credentials on a certificate and will stay private even if a malicious actor was able to gain access to the device.

Can TLS be Hacked?

Yes, but only if your network authenticates with EAP-TTLS-PAP or PEAP-MSCHAPv2. Authenticating with credentials leaves networks wide open for MITM attacks and others to bypass security, trick devices into connecting, and farm credentials.

MITM Attacks are Useless Against Certificate-Based EAP-TLS Authentication

While all three protocols employ the encrypted tunnel, EAP-TLS requires encryption of the information in the tunnel. Many major companies are switching over to certificate-based authentication because of EAP-TLS’s superior network security.

When you use EAP-TLS, certificate-based authentication, you eliminate the risk of MITM attacks because you’re not sending any credentials over the air. Certificate-based authentication is the only surefire method to preventing man-in-the-middle attacks, and is one of the reasons why so many organizations depend on EAP-TLS for their Wi-Fi Security.

Also, because EAP-TLS requires users to enroll for a certificate, enforcing the use of organizational onboarding software that correctly configures all devices for network authentication. This automated enrollment process does away with manual configuration, removing the onus from the end user, and ensures devices don’t send credentials to a rogue actor.

mitm attack

Do VPNs Protect from Man-in-the-Middle Attacks?

Virtual Private Networks (VPN) encrypt web traffic by linking a device with a secure server rather than the typical ISP. Due to the Covid-19 pandemic, millions of people are now working remotely and require the use of a VPN so they can access their company’s network from home.

While VPNs are good for securing private information, hackers have introduced cyber attacks specifically designed to target VPNs, still making devices vulnerable. The problem lies with authenticating VPNs with credentials rather than with certificates.

Configuring VPNs with certificates is the best procedure to prevent MITM attacks. Admins can implement a managed PKI system that can secure

Encrypt your Wi-Fi Network with EAP-TLS Certificates to Prevent MITM attacks

A man-in-the-middle attack is so dangerous because it’s designed to work around the secure tunnel and trick devices into connecting to it’s SSID. The best way to prevent MITM attacks is to encrypt the data through certificates and 802.1x EAP-TLS authentication. Passwords are no longer a viable option and certificates are the future of online security. Click here to see how inexpensive and easy it can be to deploy certificates for your Wi-Fi network.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.