Remember that episode of Spongebob Squarepants where the titular character and his best friend Patrick are sitting in their backyards passing messages through blowing bubbles? As usual, their antics bother their neighbor Squidward who decides to retaliate by popping their bubbles, replacing them with new bubbles containing insults. This misunderstanding leads Spongebob and Patrick to become upset with each other as they don’t realize Squidward intercepted and manipulated the conversation. This is the basic framework of a Man-in-the-middle attack.
A Man-in-the-middle attack (MITM) is when the attacker pretends to be a trusted network, namely Wi-Fi, in order to trick unsuspecting victims into connecting to the rogue network and sending over their credentials. MITM attacks can happen anywhere, as devices connect to the network with the strongest signal, and will connect to any SSID name they remember.
MITMs work because the attacker is able to take advantage of an unsecured or misconfigured wi-fi network. The most common way is spoofing an SSID. The attacker will set up shop in an area near the network, such as a coffee shop, deploy a phony Access Point, and “spoof” an SSID be creating a name similar to the target. That way, devices or people will get fooled and connect with the fake SSID, funneling all the desired information to the attacker. If successful, the attacker can steal passwords, credit card numbers, and other account information.
While it’s feasible to pinpoint the attack and put a stop to it, the damage would have already been done because the attacker was able to get the information and leave. This leaves the victim with one burning question. How is the attacker able to farm credentials on a network that’s supposed to be secure?
Vulnerabilities in Credentials:
In order to answer that question, we first need to understand EAP. EAP is the protocol used to transport digital information from two parties, such as device and a server. EAP-TLS, EAP-TTLS/PAP, and PEAP-MSCHAPv2 all use this tunnel for the purpose of securely relaying private information, whether it be a student’s password or important company information. What makes MITM attacks so scary is the attacker established itself as an endpoint of the tunnel, rendering the security useless.
The main reason for these attacks is the blaring security risk of credential-based systems. As our technology evolves over time, so does the ingenuity of hackers. It’s time we faced the fact that passwords have become obsolete and are no match to cyber attacks. EAP-TTLS/PAP and PEAP-MSCHAPv2 put organizations at high risk for credential theft, as one misconfigured device can fall victim to a Man-in-the-Middle attack.
TTLS/PAP’s weak point is using cleartext to send credentials. No encryption of the credentials means less work for the attacker. PEAP does not fair much better since the discovery of a critical weakness in PEAP’s encryption method allows hackers to easily decrypt the data caches and run off with whatever information is inside. With some computer knowledge and a little bit of elbow grease, one attacker could infiltrate, steal, and hightail it out before any would be able to notice.
Does your network use TTLS/PAP or PEAP-MSCHAPv2? Not all hope is lost. One way to help prevent Man-in-the-Middle attacks is Server Certificate Validation. Server Certificate Validation is a setting you can configure on devices that ensures that they only connect to the SSID that belongs to your organization, and not a Man-in-the-Middle attack. While this can help prevent many devices from getting attacked, an organization would need to ensure that all their devices were properly configured with Server Certificate Validation. This is really dangerous because devices can connect to the network, without Server Certificate Validation properly configured. Proper configuration can be enforced with fairly high success rates through Onboarding Software, however the user can always make the decision to configure themselves for network access. This puts the network security in the hands of the users, and takes it out of network administration’s hands. So how do we stop this going forward? The key is to encrypt the information going through the encrypted tunnel, using x.509 Certificates.
Advantages of Certificates:
Certificates add a complex level of digital security. Certificates are digital documents used to prove the identity of devices, just like passwords. Where they differ from passwords is the level of encryption. A hacker deploying a MITM attack may be able to get the certificate, but it would be completely useless for the attacker. This is where EAP-TLS prevails. While all three protocols employ the encrypted tunnel, EAP-TLS requires encryption of the information in the tunnel. This is why EAP-TLS is considered one of the most secure authentication protocols and why tons of major companies are switching over to certificates.
Another advantage to EAP-TLS, is that it requires users to go through an enrollment process, because they need to enroll for a certificate. This enforces the use of organizational Onboarding Software, which ensures that all devices are correctly configured for network authentication. With PEAP-MSCHAPv2 and EAP-TTLS/PAP, devices can always manually configure themselves for network access. This is really insecure because it only takes one misconfigured device to put the network at risk for credential theft, so ensuring all devices are properly configured is a major advantage that EAP-TLS has over the other protocols.
A man-in-the-middle attack is so dangerous because it’s designed to work around the secure tunnel and make itself an endpoint. Encrypting the information is a vital way to stop the attack in its tracks. It seems that everyday we are learning new advancements in technology, but that means bad people are also getting smarter with theft. Passwords alone are no longer a viable option and certificates are the future of online security.