What is MITM attack?
A man-in-the-middle attack (MITM) happens when a communication between two systems is intercepted by an outside entity. This can happen in any form of online communication, such as email, social media, web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.
The goal of man-in-the-middle attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is must-doing.
Information obtained during an attack could be used for many purposes. Some of them include identity theft, unapproved fund transfers or an illicit password change.
Broadly speaking, a man-in-the-middle attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door.
How Does a Man-in-the-Middle Attack Work?
Over the years, hackers found various ways to execute man-in-the-middle attack. Believe it or not, it has become relatively cheap to buy a hacking tool online. Just proving how easy hacking someone can be if you have enough money.
Successful MITM execution has two distinct phases: interception and decryption. Here are some common types of man-in-the-middle attack:
The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.
The most common and simplest way of doing this is a passive attack. Passive attack is something in which an attacker makes free, malicious public WiFi hotspots. This public WiFi has no password and they typically named in a way that corresponds to their location. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.
Attackers wishing to take a more active approach to interception. They may launch one of the following attacks:
- IP spoofing: It involves an attacker conceals himself as an application by changing packet headers in an IP address. Then, users attempting to access a URL connected to the application are sent to the attacker’s website.
- ARP spoofing: This is the process of linking an attacker’s MAC address with the IP address of a legitimate user. This process happen on a local area network using fake ARP messages. As a result, data that user sent to the host IP address instead transmitted to the attacker.
- DNS spoofing: The othr name is DNS cache poisoning. It involves infiltrating a DNS server and altering a website’s address record. So, changed DNS record sent users to the attacker’s site. Actually, it sends the users which were attempting to access the site.
After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. Here we are introducing methods that exist to achieve it:
- HTTPS spoofing: Once the initial connection request to a secure site is made, it sends a dummy certificate to the victim’s browser. It holds a digital thumbprint associated with the compromised application. The browser verifies it according to an existing list of trusted sites. So attacker is then able to access any data. The data which the victim entered before it’s passed to the application.
- SSL BEAST: (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, a malicious JavaSc infects the victim’s computer with ript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
- SSL hijacking: It occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection. It happens when, in fact, the man-in-the-middle controls the entire session.
- SSL stripping: Actually it lower a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.
How to Prevent Man-in-the-middle Attack?
Blocking MITM attacks requires several practical steps on the part of users. This is as well as a combination of encryption and verification methods for applications.
Strong WEP/WAP Encryption on Access Points
Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.
Virtual Private Network
VPNs can be used to create a secure environment for sensitive information within a local area network. They use key-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN.
HTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide HTTP alternatives. Users can install browser plugins to enforce always using HTTPS on requests.
Public Key Pair Based Authentication
Man-in-the-middle attack typically involve spoofing something or another. Public key pair based authentication like RSA can be used in various layers of the stack to help ensure whether the things you are communicating with are actually the things you want to be communicating with.