loader gif

Man in the Middle (MitM) attack - What is it and how to stay protected?

against, attention, business, businessman, caucasian, communication, crime, curiosity, curious, disbelief, ear, eavesdropping, excluded, exclusion, expression, facial, forbidden, glass, gossip, hand, hearing, holding, horizontal, humor, inquisitive, law, listening, man, nosy, perception, prying, searching, secrecy, sensory, shock, sneaky, snooping, sound, spy, suit, surprise, surveillance, wall
  • The first and foremost step in the Man-in-the-Middle (MitM) attack is to intercept internet traffic before it reaches its destination.
  • Once the interception is achieved, the SSL traffic has to be decrypted without the user’s knowledge and without interrupting the application.

Man-in-the-Middle (MitM) is an attack where the attacker eavesdrops on the communication between two parties, commonly between a user and an application, in order to alter or intercept the communication.

The information obtained in the communication will then be used to steal personal information, credentials, and financial information.

How does this work?

Attackers perform MitM attacks in two phases - Interception and Decryption.

Interception

The first and foremost step in the Man-in-the-Middle (MitM) attack is to intercept internet traffic before it reaches its destination. Interception is executed by using the following techniques.

  • IP Spoofing
  • ARP Spoofing
  • DNS Spoofing

Decryption

Once the interception is achieved, the SSL traffic has to be decrypted without the user’s knowledge and without interrupting the application. This can be done with the following methods.

  • HTTPS Spoofing
  • SSL Hijacking
  • SSL Stripping
  • SSL Beast

Example of MitM vulnerabilities - UC Browser vulnerable to MitM attacks

Researchers uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices, thereby violating Google Play Store policies and potentially exposing its users to Man in the Middle (MitM) attacks.

  • UC Browser sends a request to the C&C server to download new plug-ins.
  • In response to the request, the UC browser receives a link to file.
  • Attackers can get hold of the requests from the UC browser since its communication to the C&C server is carried over an unsecured channel.
  • Attackers can then replace the commands with ones containing different addresses.
  • This makes the UC browser download new modules from the malicious server instead of its C&C server.

How to stay protected?

  • It is best to implement the HSTS (HTTP Strict Transport Security) solution that forces browsers and sites to connect through secure HTTPS connections.
  • In order to stay protected, it is best to avoid using public WiFi that is not password protected.
  • It is recommended to ensure that your home and office WiFi is always secure.
  • Experts recommend using a secure Virtual Private Network (VPN).
  • Security researchers recommend using Public key pair based authentication like RSA in order to secure your communication.
  • It is recommended to always ensure that the webpages or websites you visit are running on HTTPS and not the HTTP protocol.
loader gif