Man in the Middle

A Man-in-the-Middle Attack (MITM) is when attacker secretly relays, and possibly alters, communication between two computers which believe they are communicating directly. The attacker must be able to insert themselves in the line of communication and to impersonate both sides without raising suspicion.

Man-in-the-Middle Attacks can be used for eavesdropping or to modify the data that each party receives. They are not limited to simple messages between two people. It could be between a user and their bank's website, and the message being sent could be their credentials. It could be someone reading email messages through a web portal. Or it could even be someone downloading software from a remote server and, because they are in the middle, the attacker could send different software instead. Most damaging of all, a man-in-the-middle can substitute their own public-key when two parties believe they are conversing securely using public-key cryptography.

The most commonly used technique is to take over a router which is routing traffic between two parties or to provide an "evil twin" WiFi router. An evil twin router presents itself on the network like the legitimate router, but is controller by the attacker. A user may select the router by mistake, or their computer may be tricked into switching to it instead (for example, by having a stronger signal than the real router). DNS Hijacking, browser malware, and port stealing are other common ways for an attacker to insert themselves in the communication chain between a user and the server with which they are communicating.

Hacker tools like Ettercap use a variety of techniques and are designed to make Man-in-the-Middle Attacks easier to accomplish.


Eavesdropping Example

Mallory has secretly inserted herself into the line of communication between Alice and Bob.

  • Alice sends a message to Bob
  • Mallory intercepts and reads the message
  • Mallory sends the message to Bob, unaltered
  • Bob responds with a message to Alice
  • Mallory intercepts and reads the message
  • Mallory sends the message to Alice, unaltered

Mallory acts like a nosy messenger reading the notes she carries back and forth between Alice and Bob, only Alice and Bob have no idea Mallory is present.


Tampering Example

Mallory has secretly inserted herself into the line of communication between Alice and Bob.

  • Alice sends "Let's meet in the cafe at 3:00" to Bob
  • Mallory intercepts the message
  • Mallory sends "Let's meet in the park at 4:00" to Bob
  • Bob responds with "OK, see you in the park at 4:00" to Alice
  • Mallory intercepts the message
  • Mallory sends "OK, see you in the cafe at 3:00" to Alice

Mallory acts like a messenger again, but this time, she is sending false messages to Alice and Bob. But Alice and Bob believe that they are directly conversing and trust the information they are receiving.


Public-Keys Example

Mallory has secretly inserted herself into the line of communication between Alice and Bob.

  • Alice asks Bob to send her his public key
  • Mallory reads and relays message to Bob, unaltered
  • Bob sends his public key to Alice
  • Mallory substitutes her own public key and sends to Alice
  • Alice encrypts and sends a message using Mallory's public key
  • Mallory decrypts the message with her private key
  • Mallory can ready or modify the message
  • Mallory encrypts and sends the message using Bob's public key
  • Bob decrypts the message with his private key

This attack is worst than the others because, not only do Alice and Bob not know about Mallory's presence, they believe that the conversation is secure because they have taken the extra step of using public-key cryptography which is designed to guarantee privacy and data integrity.


Man-in-the-Middle Preventions

Man-in-the-Middle Attacks are attacks on privacy and data integrity, so the solutions are twofold: Encryption and Authentication.

Encryption adds privacy to the conversation. An attacker can be in the line of communication, but will not be able to read the communication. TLS and HTTPS are the best ways to secure communications on the web. A Virtual Private Network (VPN) is another way to secure all communications with a remote server (not just web) and is popular for corporations who have remote workers. Secure Shell Tunneling (SSH) is another option creating a secure pathway to a server. It is most often used for command line connections to servers, but has other applications as well.

Authentication validates the identify of the communicating parties. Public-key cryptography is designed for this purpose. However, as illustrated in the examples, it has one weakness: validating the authenticity of a public key. For this reason, public keys should be downloaded from a trusted source. Public keys can and should be registered with a Public Key Infrastructure (PKI). The PKI becomes the trusted source and provides a way to validate that a public key is authentic. Certificate pinning is an additional validation, it compares a certificate with a trusted/signed copy of the certificate.

Detecting Man-in-the-Middle Attacks can be difficult since the attacker is actively trying to avoid raising suspicion. One helpful technique can be latency examination, a request traveling direct to the other party will be faster than a request which makes a pit-stop in the middle. This is especially true for encrypted communication because decrypting and then re-encrypting adds additional time.

Fork me on GitHub