You will no doubt have heard of a man in the middle (MiTM) attack. Here we define this attack method, explain how a MiTM attack occurs, and show you how to prevent a man in the middle attack and keep your devices and networks secure.

What is a Man in the Middle Attack?

Man in the middle attacks are commonly cited as a threat, but what exactly is a man in the middle attack? As the name suggests, this is a scenario where a person inserts him or herself between two communicating systems and intercepts conversations or data sent between the two. It is the computer equivalent on eavesdropping on a phone call where neither party is aware that their conversation is not private and confidential.

With a phone call, eavesdropping would allow an attacker to gather a host of sensitive information, which is divulged verbally between both parties. In this scenario, the attacker does not influence the conversation. He/she must wait until a valuable nugget of information is disclosed by either party.

A MiTM attack is concerned with intercepting data transferred between two parties. This could be data sent between a smartphone app and a server, between two parties on a messaging app such as WhatsApp, or an email conversation between two parties. It could also be communication between a user’s browser and a website.

In contrast to the telephone call scenario, which is passive, in a MiTM attack the attacker can influence what is being said. In fact, with a MiTM attack, the two people or systems communicating are not really communicating with each other. Each is communicating with the attacker.

Take email for example.  Person A initiates an email conversation with Person B and requests a wire transfer to pay for services rendered. Person A supplies the bank details, and Person B agrees to the wire transfer. Various details are discussed, and the transfer is eventually made. There could be 10 or more messages sent by each party in the conversation. Each message between the two is altered by the attacker, crucially including the bank account details for the transfer. Neither party has been communicating with each other, yet both parties would be convinced they are.

Types of Man in the Middle Attack

The goal of a MiTM is to intercept information, usually for financial gain, but there are different ways that this can be achieved. Generally speaking, there are four main ways that a MiTM attack occurs: Packet sniffing, packet injection, session hijacking, and SSL stripping

Packet sniffing is one of the most common MiTM attack methods and is a type of eavesdropping or wiretapping, except it is not phone conversations that are obtained. It is packets of data sent between the two systems. Packet sniffing is much easier when sensitive data is not encrypted, such when information is disclosed between a browser and a HTTP website, rather than HTTPS where the connection is encrypted.

The above email example is a type of packet injection. Data is intercepted, but additional packets are introduced, or data packets are altered. For instance, malware could be introduced.

Session hijacking is where an attacker hijacks a session, such as a session between a browser and a banking website where the user has logged in. In this example, the attacker is the one in control of the session.  SSL stripping is where a HTTPS session, which should be secure as the session is encrypted, is stripped of the encryption, turned from HTTPS to HTTP, and data is identified. This latter example is utilized by web filtering solutions that feature SSL inspection.  It allows businesses to check for threats in encrypted traffic.

How to Prevent a Man in the Middle Attack

Fortunately, MiTM attacks can be difficult to perform, so the potential for an attack is limited, but there are skilled hackers who can – and do – perform these attacks and gain access to sensitive data and empty bank accounts. One of the most common examples is a coffee shop scenario where an attacker creates an evil twin hotspot. When a user connects to this evil twin – a Wi-Fi network set up to look like the genuine coffee shop Wi-Fi hotspot – all data sent between their browser and the website is intercepted.

There are several steps you can take to prevent a Man in the Middle Attack.

  • Never disclose sensitive data when connected to an untrusted public Wi-Fi network. Only ever connect via a VPN, and ideally wait until you are on a trusted Wi-Fi network to access online bank accounts.
  • Ensure the website is protected by an SSL certificate (starts with HTTPS). Bear in mind that hackers also use SSL certificates, so HTTPS does not mean a website is genuine.
  • Do not use hyperlinks included in emails, always visit the website directly by typing the correct URL into your browser or finding the correct URL through a Google search.
  • Do not install unauthorized software, apps from third-party app stores, and do not download and use pirated software.
  • Businesses should implement a DNS filtering solution to protect their workers and prevent them from visiting malicious websites.
  • Make sure your networks are secured and have appropriate security tools installed.
  • Disable insecure SSL/TLS protocols on your website (Only TLS 1.1 and TLS 1.2 should be enabled) and implement HSTS.