What Is a Man in the Middle (MitM) Attack?

In this article, you will learn what a man in the middle attack is, how they work, the types of techniques used in these attacks, and how to protect yourself against them.

A man in the middle (MitM) attack is when a threat actor intercepts or alters communications between two parties. These types of attacks are typically used by threat actors to gain information during the early reconnaissance stages of a more advanced attack.

What Is the Goal of Man in the Middle Attacks?

  • Reconnaissance: Harvesting credentials and/or insider knowledge to escalate into a more advanced attack
  • Espionage: Gaining access to trade secrets and intercepting private communications
  • Financial Gain: Extracting valuable data such as financial information for sale to other threat actors
  • Disruption: Compromising networks for infamy, entertainment, or revenge

Man in the middle attacks may also be referred to as monster in the middle, machine in the middle, monkey in the middle, and person in the middle (PITM) attacks.

A MitM attack is more of a general concept than a specific technique or tool. These types of attacks can be performed through a variety of ways including:

  • Tricking users into entering their credentials into a fake counterpart of a seemingly legitimate website that is controlled by the attacker
  • Sniffing network traffic by using SSL stripping to force their victims to browse the internet unencrypted, and;
  • Spoofing a legitimate device to intercept connections. 

“Comparing this to physical mail: If you’re writing letters to each other, the mailman can intercept each letter you mail. They open it, read it, eventually modify it, and then repackage the letter and only then send it to whom you intended to send the letter to. The original recipient would then mail you a letter back, and the mailman would again open the letter, read it, eventually modify it, repackage it, and give it to you. You wouldn’t know there’s a man in the middle in your communication channel – the mailman is invisible to you and to your recipient.”

Mozilla

I will overview more techniques and tools that attackers use to perform man in the middle attacks later in this article.

Table of Contents

How Man in the Middle Attacks Work

While the methods used in the MitM attack will vary, they all follow the same general concept: The attacker intercepts the connection of two devices, such as a computer and a web server. Once they’ve successfully intercepted the connection they will use their position to observe or manipulate the traffic between the two parties.

This video sample from YouTube channel CBT Nuggets Chuck Keith (Network Chuck) covers a form of man in the middle attacks that uses ARP spoofing to intercept communications between a computer and a router. He will define what a man in the middle attack is, how it works, and then explain how ARP spoofing can be used to substantially increase the potency of a typical MITM attack.

In this example, after intercepting the connection between Bob (the victim) and the router the attacker can use techniques such as packet injection, session hijacking, and SSL stripping to further intercept and modify the traffic sent between Bob and the router.

5 Types of Man in the Middle Attacks & Tools

Man in the Browser Attack

State of Web Browsers in 2019

“The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.”

OWASP.org

In a Man in the Browser (MitB) attack a form of malware known as a Trojan infects the user’s web browser and maliciously modifies the contents of web pages. The most common use case for this sort of attack is to modify an electronic banking transaction in a way that benefits the attacker while convincing the victim that the transaction completed as expected.

Replay Attack

Diagram of a replay attack, a type of man in the middle attack

A replay attack (also known as a playback attack) is a type of man in the middle attack where the attacker intercepts network traffic between two hosts. The attacker then stores or manipulates the traffic before forwarding it to its intended destination. The original traffic that was captured by the attacker can then be reused at a later time to gain access to the network.

SSL Stripping

Diagram of a SSL stripping attack, a type of man in the middle attack

According to SSL.com SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.

When you browse the internet your connection to a given website will often be secured using one of these protocols. Under normal circumstances SSL/TLS and HTTPS allow users to securely transmit confidential information credentials over the internet. 

In an SSL stripping attack the attacker bypasses these protocols by intercepting the connection between their victim and the web server and forcing their victim to use an unencrypted (HTTP) internet connection. The attacker can then use network protocol analyzer tools such as Wireshark to capture sensitive information such as passwords, corporate data, and private communications.

Rogue Access Points

Diagram of a rogue access point, a type of man in the middle attack

Rogue access points such as the WiFi Pineapple masquerade as legitimate wireless networks to trick victims into establishing a connection with an attacker. The viability of these attacks are precisely why it is recommended that you do not use public WiFi networks when performing sensitive tasks such as banking or working with confidential information.

Once the victim establishes a connection the attacker can intercept the victims traffic in search of passwords and sensitive communications and serve fake landing pages that ask for sensitive information.

Sample rogue access point attacks

  • KARMA – the rogue access point tricks the victim’s device into establishing a connection by spoofing an SSID that has been previously trusted by the victim’s device.
  • Evil Twin – A counterfeit access point that uses the same SSID and BSSID as a nearby Wi-Fi network. (e.g. a free public WiFi hotspot)

ARP Spoofing/ARP Poisoning

Address Resolution Protocol (ARP) is used to discover where devices are on the network. In an ARP Poisoning attack, the attacker sends spoofed ARP messages onto a local area network to convince devices that the attacker’s device is the intended destination for traffic. After intercepting the traffic the attacker will then forward the transmission over to the intended destination to avoid detection.

Real-World Man in the Middle Attack Examples 

Drawing of a hooded figure next to a large computer monitor. It shows them stealing files and receiving money.

The Lenovo Superfish Scandal

Superfish is a type of adware that performs a man in the middle attack to force users to view advertisements. The Superfish scandal came as a result of Lenovo including the Superfish adware on its laptops between September 2014 and February 2015. 

How serious was the scandal? Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base”, going so far as to recommend that every single affected laptop be considered potentially compromised. 

The scandal led to serious concerns among Lenovo customers about whether or not Superfish’s computer spy software posed a threat to their security. As part of its design the software presented users with its own fake certificate instead of the legitimate site’s certificate, which meant that end-users could not trust that SSL certificates were legitimate. 

Equifax’s Mobile Application

In 2017 Equifax agreed to pay a settlement between $575-700M after the personal and financial information of nearly 150 million people was leaked from an unpatched database.  Alongside this breach security researcher Jerry Decime discovered that Equifax’s mobile phone apps that did not consistently use HTTPS, potentially allowing attackers to intercept data as users accessed their accounts.

How Common Are Man in the Middle Attacks?

Cybercriminal in a black hoodie hacking company networks to perform a data breach.

While the widespread adoption of HTTPS and browser-based security warnings have reduced the potential threat of some man-in-the-middle attacks, these attacks are still viable. 

The Threat Intelligence Index 2018 report from IBM’s X-Force found that 35% of exploitation activity involved attackers attempting to conduct MitM attacks. While MitM attacks were not featured in their 2021 report, there is a fair chance that these types of attacks will become more prominent in the future. 

The reason? 5G and Internet of Things devices.

A 2019 report from Opensky and the Ponemon institute found that the inability to avoid security exploits and data breaches is one of the biggest IoT challenges for 60% of cybersecurity practitioners in the United States. 

IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. For example, a seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers. 

Despite this, the rapid proliferation of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices are expected to skyrocket thanks to advancements in 5G wireless internet connections. The inconsistent security standards of these devices and potential 5G vulnerabilities could lead to a resurgence in the use of MitM attacks, as witnessed in a demonstration at the Black Hat 2019 conference.

Best Practices to Prevent Man in the Middle Attacks

The prevention and detection of man in the middle attacks is a difficult task, but there are ways that you can help protect yourself and your company against common vulnerabilities and exploits.

None of these methods are entirely foolproof. The wide array of techniques that fall under the umbrella of a MitM attack means that many layers of protection are required to defend against this threat.

This next section will overview steps that you can take to defend against MitM attacks.

Use Encryption

A string of green encrypted text on a black background

Ensuring that you have an encrypted connection is a critical first step to reducing the damage that a MitM attack could cause. By encrypting your web traffic you can protect your session against network sniffing attacks by making your network packets illegible. 

Ensure that all of your connections are secured using the latest encryption technology 

  1. Verify that the websites you visit are encrypted
    Websites are encrypted using SSL/TLS certificates. You can tell that these encryption protocols are in use as they will either have “https” at the start of the URL or a padlock icon to indicate that the website uses encryption. To verify that the certificates are legitimate you can inspect the certificate in your browser. 
  2. Use end-to-end encryption for your digital communications
    When sending sensitive information over the network you should ensure that the email platform or video conferencing app you use support end-to-end encryption.
  3. Use a private, encrypted internet connection
    Ensure that the network you are using is protected with a unique, strong password and encrypted with WPA2 or greater. You must also avoid using publicly accessible WiFi hotspots to avoid falling victim to a rogue access point or having your traffic sniffed by someone else on the network.

It’s important to note that encryption does not guarantee safety from MitM attacks. Attacks such as SSL stripping can force you to unknowingly browse the internet unencrypted. 

Though it is a rare occurrence, there is also the possibility that the trusted certificate authorities that verify SSL/TLS certificates could become compromised themselves, such as with the Diginotar incident.

DigiNotar was a Dutch certificate authority that was forced to declare bankruptcy after a security breach resulted in the fraudulent issuing of certificates. This security incident resulted in 300,000 Iranian Gmail users becoming victims to MitM attacks. 

Use a Secure Virtual Private Network (VPN)

Using a virtual private network (VPN) adds an additional layer of security against sniffer attacks by encrypting your traffic through a private network “tunnel”. The VPN will encrypt the traffic from your device to the VPN service, protecting it from being read or altered in transit. 

If using a VPN for security purposes you must ensure that you are using a trustworthy provider. If your VPN provider is compromised the data you send over the network could potentially be intercepted.

Do Not Use Public WiFi

According to the 2018 iPass Mobile Security Report, 81% of CIOs said their company had experienced a WiFi related security incident in the last year, with 62% of WiFi related security incidents occurring in cafés and coffee shops. 

Insecure public WiFi hotspots are attractive to attackers as the volume of people connected to the network and the lack of encryption on some websites allows them to monitor the internet traffic of anyone connected to the network. Attackers may also use a rogue access point (honeypot) to trick users into establishing a connection with their network device. 

In addition to this, the security of a legitimate public network is not guaranteed. These wireless access points are managed by a third party and they are often provided as a convenience to the public rather than for sensitive business purposes.

To mitigate the temptation to use these insecure WiFi hotspots, remote workers should have their own mobile router or high-speed mobile data plan. A mobile router transforms 4G or 5G wireless connections into a private WiFi signal, negating the need to use potentially unsecured WiFi networks. You must also specify security protocols related to public WiFi use in company policies such as an endpoint security policy or work from home policy.

Listen to Web Browser Security Warnings

Google Chrome Error: Your connection is not private Attackers might be trying to steal your information from untrusted-root.badssl.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID

Modern web browsers have security features that will notify you if there are any perceived risks regarding the sites or connections you are using. 

While not all of these warnings are as the result of a man in the middle attack they can provide an early warning sign that there is a potential security problem such as invalid certificates or attempts to redirect you to a page you were not intending to go to, such as when an attacker redirects you to a fake landing page.

For example, in Google Chrome if there is an issue validating the certificate of a website you will be presented with an error screen that says “your connection is not private”. Other modern web browsers will provide similar warnings. In addition to this Google Chrome labels HTTP sites as “not secure” to alert you that the connection is not encrypted.

Disable Automatic Wifi Connections

Allowing your phone or laptop to automatically connect to familiar networks provides added convenience, but it also increases the risks of falling victim to a KARMA attack or similar exploit. An easy fix for this is to make sure that your mobile devices are set to manually select a Wi-Fi network, rather than allowing them to automatically connect to familiar networks.

What’s Next?

In this article you learned what man in the middle attacks are, how they work, examples of companies that have fallen victim to MitM attacks, the most common exploits used by attackers, and how to protect yourself against them. 

While these attacks have fallen out of use in favor of ransomware, they are still viable today. The rapid proliferation of 5G and IoT is expected to lead to a resurgence of attackers using man in the middle attacks to infiltrate networks and gain access to sensitive information.

Want to learn more about cybersecurity? Sign up for the CurrentWare newsletter to stay up-to-date on our latest articles.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.