Man-in-the-Middle Attacks: Risks, Detection, and Defense Strategy
A Man-in-the-Middle (MitM) attack — also known as an on-path attack — occurs when an attacker inserts themselves between two communicating parties. The attacker then intercepts the messages flowing between them, while potentially pretending to be the other party.
MitM attacks are a significant threat when communicating over an untrusted network. MitM attackers can always perform a denial-of-service (DoS) attack by dropping all of the packets that they intercept. However, if a communication session lacks confidentiality and integrity protections — such as TLS or a VPN — the attacker may be able to read and modify the messages en route as well.
Man-in-the-Middle Attack Types
An on-path attack can work in one of two ways. Either the MitM attacker is already on the communications path between the two parties, or they manipulate the communications to force it to flow through them. Some of the methods that attackers can use to do so include:
- Public Wi-Fi: Public wireless networks are either unencrypted or encrypted using the same password for all users. If an attacker is on the same Wi-Fi network as their target, they can listen in on the packets that the target sends to the router. If they are operating a malicious wireless access point — a rogue access point (AP) or “evil twin” attack — then they have complete control over the traffic flowing over the Wi-Fi network.
- ARP Spoofing: The Address Resolution Protocol (ARP) is used to translate IP addresses to MAC addresses on a subnet. A switch will send out an ARP request and use the MAC address of the system that responds. A man-in-the-middle attacker can send an ARP response pretending to be the target, which results in the target’s traffic being sent to their machine.
- IP Spoofing: IP addresses are used to identify the source and destination of a network packet. In an IP spoofing attack, the attacker changes the source IP address of a network packet to that of the target. This enables them to masquerade as the victim and interject themselves into a network communication.
- DNS Hijacking: The Domain Name System (DNS) maps domain names (like kzero.com) to IP addresses. In a DNS hijacking attack, the attacker changes the DNS entry of a website to use the IP address of the attacker’s computer. When users attempt to visit the website, they’ll receive a DNS entry with the incorrect IP address.
- BGP Hijacking: The Border Gateway Protocol is used by ISPs — called autonomous systems (AS) in the protocol — to find the route to a particular IP address. Like ARP, it assumes that all announced routes are true. A malicious AS could announce fake routes, causing traffic to a range of IP addresses to be routed through the attacker’s systems.
- Email Hijacking: In an email hijacking attack, the attacker inserts themselves into an email conversation, intercepting and modifying communications between parties. For example, an attacker with access to one party’s mailbox could steal sensitive data or impersonate them to the other.
- Vulnerability Exploitation: Some encrypted network protocols have vulnerabilities that could allow the attacker to decrypt and eavesdrop on network traffic. For example, TLS traffic may be vulnerable to downgrade attacks, in which the client and server are tricked into using an older, insecure version of the protocol.
In all of these scenarios, the target’s traffic flows through the attacker’s systems. This can be accomplished via eavesdropping on wireless traffic — which broadcasts packets for anyone to hear — or rerouting the target’s traffic through the attacker’s systems.
Risks and Consequences
MitM attacks provide the attacker with visibility into and potentially control over the target’s network traffic. A Man-in-the-Middle attacker can perform a few different actions, including:
- Eavesdropping: In all cases, a MitM can eavesdrop on unencrypted traffic from the user. If the traffic is unencrypted — using a protocol such as Telnet or HTTP — the attacker may be able to extract login credentials and other sensitive data from the traffic. Even if the target is using an encrypted network protocol — such as SSL/TLS — the attacker can inspect the packet headers, which can provide some useful information, such as the destination IP address and port.
- Modification: For unencrypted and unauthenticated network protocols, a MitM attacker may be able to modify traffic en-route. This may also be possible if the target is using a key exchange protocol vulnerable to man-in-the-middle attack — such as Diffie-Hellman — to establish the keys used for encryption and authentication.
- Denial of Service (DoS): If the target’s communications flow through the attacker’s system — due to ARP spoofing, DNS hijacking, or BGP hijacking — the attacker can perform a DOS attack. Even without knowledge of a packet’s contents, the attacker can drop it to prevent the target from communicating with another party.
A successful MitM attack can have dramatic consequences for an individual or organization. For example, an attacker who intercepts login credentials can use them to gain access to an organization’s systems. Intercepting sensitive data sent via an unencrypted protocol could result in a violation of personal privacy or a data breach. Modifying traffic en route could cause unauthorized commands to be executed on a system.
Detection, Prevention, and Mitigation
MitM attacks can be extremely damaging, with the potential for data breaches and other negative effects. Organizations and individuals can take various steps to detect, prevent, and mitigate these threats.
Detection Techniques
MitM attacks can be very subtle, especially if an attacker has privileged, legitimate access to network traffic, such as an ISP. Some methods for detecting man-in-the-middle attacks include the following:
- Network Monitoring: MitM attacks can introduce anomalies in network traffic that can be detected via monitoring. For example, a MitM attacker is likely to cause an increase in network latency as traffic is rerouted through their systems for inspection or modifications.
- Digital Certificate Validation: Most websites and online services use digital certificates to encrypt and authenticate network traffic. If digital certificates are untrusted or otherwise anomalous (such as being signed by an unusual root CA), this may be an indication of a man-in-the-middle attack.
- Cache Inspection:> ARP and DNS hijacking attacks involve placing false entries in a DNS or ARP cache. Periodically checking and validating cache entries can help to identify attempted MitM attacks.
- Wireless Network Monitoring: A MitM attacker may set up a rogue AP to trick targets into connecting to it, providing the attacker with access to their network traffic. Periodically checking for unauthorized wireless APs can help with detecting this particular man-in-the-middle technique.
Prevention Strategies
Man-in-the-middle attack prevention is always better than detection. Some best practices to reduce the risk of a MitM attack include the following:
- Encrypted Protocols: Encryption is one of the best defenses against MitM attacks. Encrypted protocols such as SSL/TLS prevent an attacker from reading traffic, which also makes it difficult to modify without detection.
- Secure Protocols: In addition to using encrypted protocols, it’s also important to verify that those protocols are secure. For example, older versions of TLS contain vulnerabilities that an attacker can exploit to undermine the traffic encryption.
- Virtual Private Networks: Virtual private networks (VPNs) provide more consistent encryption and security than an encrypted protocol. VPNs carry all traffic over an encrypted tunnel to the VPN endpoint, protecting against eavesdroppers en route.
- Certificate Management: Digital certificates are vital to the encryption and authentication of network traffic. An automated certificate management system helps to ensure that digital certificates are valid and not expired.
- Employee Education: In some cases, man-in-the-middle attacks are indicated by error messages, such as a browser claiming that a provided digital certificate is untrusted. Training users to recognize these issues and properly respond to them reduces the risk that they will bypass these protections.
Mitigation Strategies
If an attacker successfully performs a MitM attack, an organization can take steps to limit its effects. Some best practices for mitigating the MitM threat include:
- Multi-Factor Authentication (MFA): MitM attacks are commonly used to intercept login credentials that attackers can use in later attacks. MFA helps to mitigate this threat by requiring multiple different types of authentication factors, reducing the risk that an attacker will be able to gain access to a user’s account.
- Patch Management: MitM attackers may use their access to exploit vulnerable systems. Promptly applying patches and updates helps to reduce the threat of these attacks.
- Endpoint Security:
Man-in-the-middle attacks may be intended to exploit vulnerabilities and deliver malware to a computer. Endpoint security solutions can help to prevent or mitigate these threats.
Recent Examples and Case Studies
MitM attacks can have various real-world impacts, including stealing sensitive data or money from an organization. The following case studies highlight some of the effects that these attacks have had on organizations in the past.
Equifax
In 2017, Equifax experienced a major data breach, exposing the personal information of over 143 million Americans. In the wake of the incident, the company set up a website equifaxsecurity2017.com.
In addition to the bad practice of using a URL that looks like a phishing site — no relationship to the equifax.com domain — the breach reporting site also used a shared SSL certificate. This means that the same digital certificate was also used by thousands of other websites.
As a result, an attacker using the same SSL certificate could perform a man-in-the-middle attack while masquerading as the real equifaxsecurity2017.com website. Attackers could divert visitors to a malicious site or intercept and modify data en route between the user and the real site.
Malicious Sysadmin
In 2018, a company based in Oxford suffered a ransomware attack. As usual, the cybercriminals behind the attack sent a ransom demand and began negotiating with the company via email.
This case was unusual in that a company sysadmin performed a MitM attack on the company and ransomware group for their own benefit. Taking advantage of their privileges on the network and corporate email server, the sysadmin modified the content of the messages sent by the ransomware gang. This included changing the Bitcoin payment addresses to ones that he controlled and changing the ransom amount and some of the threats made to the company.
In the end, the company elected not to pay the ransom, so the malicious sysadmin didn’t receive a payout. They also got caught and — five years later — pled guilty to the crime in July 2023.
Israeli Startup
In 2019, a cybercriminal stole approximately $1 million from an Israeli startup. This money was sent by a Chinese VC firm and intercepted via a sophisticated MitM attack.
The attacker had access to the victim’s email account, enabling them to see emails in which the startup and VC were negotiating. The attacker then created a pair of lookalike domains — one impersonating each corresponding party — and sent emails to each that appeared to be a reply within the existing thread.
When the victims replied to these emails, they went to the attacker rather than the other organization. The attacker could then perform a man-in-the-middle attack on all future communications, editing email content as needed before sending it on to the other party. The fraud was only detected in the end when Check Point was called in and analyzed email logs once a $1 million payment failed to reach the startup.
Conclusion
In a MitM or on-path attack, an attacker intercepts or eavesdrops on network traffic between two parties. These attacks can be performed in various ways, including eavesdropping on public Wi-Fi traffic, performing hijacking and spoofing attacks using various network protocols or intercepting emails or other messages sent between the two parties.
The effects of a successful MitM attack can be significant for an individual or organization. MitM attacks can — and have — resulted in the theft of sensitive data or significant financial losses for companies. Taking steps to protect communications against these attacks — such as using a VPN and training employees to recognize attempted attacks, can dramatically reduce an organization’s risk exposure.
One common result of man-in-the-middle attacks is the theft of login credentials, allowing an attacker to gain access to corporate accounts. Kelvin Zero’s Multi-Pass eliminates this threat with multi-factor biometric authentication that is immune to MitM and similar attacks. Learn more about securing your employee and user accounts with Multi-Pass.