MITM (Man-in-the-Middle) Attack. What Is It and How to Detect It?

In previous articles, we discussed the general structure of a hacker's attack on your infrastructure. To gather the intelligence and to gain access to your company's (or personal) data he/she usually conducts a Man in the Middle attack (MitM). 

Let’s focus on how such an attack is delivered by a hacker and what you can do to prevent it.

Table of contents

1. MITM (Man-in-the-Middle) – definition
2. How do the MITM attacks proceed? Most common steps
3. Man-in-the-Middle attack prevention
4. MITM attack – summary

MITM (Man-in-the-Middle) – definition

The name of this attack encapsulates the main principle of its execution: threat actors insert a malicious software or device between the victim's computer, smartphone, or any other internet-enabled device and the actual access point/website they attempt to connect to, so they can intercept a victim's transmitted data from the device or the network itself. As a result of session hijacking, an attacker intercepts multiple datasets processed by spoofed devices (i.e. by stealing browser cookies, IP addresses, account details, or server logs).

That being said, MitM is a catch-all term for various attacks based on the same principle – we distinguish, among others:

• HTTPS Spoofing,
• SSL Stripping and SSL Hijacking,
• IP Spoofing,
• ARP Spoofing,
• DNS Spoofing,
• Automatic Proxy Discovery Attack,
• BGP Misdirection.

How do the MITM attacks proceed? Most common steps

One of the most common types of MitM attacks is one in which a hacker installs a rogue access point that masquerades as something else. It usually occurs in one of two ways:

• SCENARIO 1:

The hacker creates a bogus open-access AP with an SSID (name of the network) that will entice people to connect to it – it can be anything, such as "City Free WiFi" or "[name of the location] WiFi." Any device that connects to that network will gain internet access, but the hacker will be able to monitor all traffic passing through the AP.

Of course, this does not mean that he/she will have direct access to your email as long as you browse websites that use the HTTPS connection. Be warned, however, that while decrypting the encryption is difficult, it is still possible to do with a little time and effort. This type of attack is still dangerous because any attempt to access a website that does not support HTTPS will result in the immediate compromise of your credentials for that website. Another risk of connecting to a rogue AP is that the hacker will have much easier access to plant malware on your computer or steal your VPN credentials because you are on the same network as the hacker's device.

• SCENARIO 2:

The hacker obtains a legitimate network password (there are several methods for doing so) and then configures the rogue access point (AP) to pose as the network's actual AP. 

Following that, the hacker sends deauthorization packets to the legitimate AP, pushing all paired devices to reconnect to the network. Because the hacker can provide a stronger signal than the legitimate AP, the mentioned devices are "forced" to connect to the rogue AP. This also includes a long list of devices that were previously connected to the now-compromised network (but are no longer affected by it), as well as IoT devices that will treat any stable connection as a secure connection.

If any of the saved networks are available, each device constantly broadcasts requests. When it discovers fake networks, it will attempt to connect to them automatically by default (unless this setting is changed on the device). Again, all of this will give the hacker the ability to monitor network traffic after it passes through the rogue AP.

Okay, enough with the theory. Let's now learn how to prevent MiTM attacks in practice.

MiTM attack prevention

When determining how to prevent a man-in-the-middle attack, consider the primary methods for securing end-to-end communications. As a result, you can reduce the risk of such attacks by expanding your wifi-usage habits in accordance with the following guidelines:

1. Avoid using public wi-fi and open networks in general. As a rule of thumb,  turn off wifi on any personal device you're using while running errands.
2. Investigate your device's settings and turn off the automatic connections to known networks. It is possible on every major desktop and mobile operating system.
3. If you must use a public network, use "forget this network" after you are finished.
4. Avoid accessing your bank account and other critical resources when connected to a public network (even if it is password protected!). It's best to think of public AP as the main source of malicious traffic.
5. Avoid using your company’s VPN when you are connected to a public network.
6. Learn the difference between a real site and a fake website. If in doubt, confirm its originality with a phone call or a visit to the closest location in person.
7. When connecting to a local area network, ensure that there is only one visible network with that name. There is a possibility of multiple legitimate APs for one network, but it is extremely unlikely to occur for public networks such as Starbucks or McDonald's. If you are unsure about your company's WLAN, you can always contact the IT / Service Desk.

General recommendations apply here as well:

1. Use multi-factor authentication for all critical resources (especially those related to your health, finances, ID, taxes, or personal storage space). Even if your login credentials are compromised, the hacker will struggle to use them for identity theft unless they have access to your next authentication factor. Use different MFAs for each type of sensitive information to increase security even more.
2. Employ weak password prevention. Use a multitude of complex, non-personal passwords for your accounts and personal access points (whether it's a home router or a smartphone router) to make them more difficult to crack. A password with more than 14 random characters (combining upper and lower case, numbers, and special characters) is generally not worth cracking-it would literally take ages to do so.
3. Don't reuse passwords for critical resources (and avoid doing so altogether) – it's one of the simplest attack vectors to check leaked login credentials for specific people's accounts and then use them and their permutations to crack other services' credentials.

Also, keep in mind that whoever controls the AP controls AND monitors the traffic! That is, any AP with an unchecked origin is a threat.

MITM attack – summary

In today's highly connected world, cybersecurity is critical. Knowing what types of attacks you might face can help you keep your data and accounts safe.

Modern technologies, such as Wi-Fi networks, have greatly facilitated business operations. The ability to connect computers and other assets to a network without having to run data cabling to each workstation simplifies the setup of new workers and workstations. Wi-Fi access points, on the other hand, have opened up a new channel for cyberattacks on corporate networks.

Attackers who can get physically close to your company's Wi-Fi routers can use them to intercept your network traffic, jeopardizing your cybersecurity. Even worse, depending on the equipment involved, physical proximity is not required, so the MITM techniques could be applied from as far away from your office as the building's parking lot. Man-in-the-middle attacks have been used by astute attackers to circumvent network device security.

While man-in-the-middle attacks are not as common as other types of cyberattacks, they are still a threat that should be avoided. If you want us to help your business protect against MiTM and other cyber-related threats, contact us @.