What is a Man in the Middle Attack?
A Man in the Middle Attack is one where a malicious third party C attempts to intercept and actively disrupt a communication flow between two parties A and B.
The two communicating parties are unaware that their messages are being intercepted and potentially manipulated.
The attack can occur when there is a lack of an adequate authentication mechanism for the communicating parties or an effective method for ensuring the integrity of the messages being sent and received.
Lets take an example
Suppose Alice is in the market for a new phone. She has a search online and comes across a great offer on a reputable auction website. Bob is selling a brand spanking new phone that he received as a gift. The upgrade would be great but at the moment Bob would rather have the cash so he can put it towards a new guitar that he’s has his eye on.
Alice makes an offer through the site a little under the asking price which Bob accepts.
Both Alice and Bob have good feedback on the site, but Bob only accepts bank transfers. Bob sends Alice his bank details, she transfers the money for the phone and confirms when it’s been done. Bob sees the payment enter his bank account and proceeds to send the item. Alice receives the phone a few days later. Everyone’s happy!
Now what could have happened if Alice and Bob had fallen victim to a Man in the Middle Attack?
We’ll replay the same scenario however this time we’ll introduce Mallory, she’s an active attacker, making an asserted effort to do no good.
Now suppose that Mallory has compromised Alice’s connection to the auction website. Alice assumes, as one would that she’s connected securely to the site and all of the messages getting passed back and forth are similarly safe and secure.
She’s completely unaware that Mallory can intercept her traffic and redirect her connection to a fake version of the auction site so when Alice connects to the action site, she’s actually connecting to the fake site that Mallory has created, Mallory sees and can manipulate any of the messages from Alice and forwards them on to the real auction site. Similarly the responses from the website are also seen by Mallory and she forwards them back to Alice.
All the time Alice thinks she’s connected to the auction site, Mallory can intercept and manipulate the conversation.
Now back to the example, Alice makes an offer for the phone through the site a little under the asking price which Bob accepts.
Bob sends his bank account details to Alice. Mallory however intercepts this message and replaces Bob’s account details for another account that she has access too.
Alice receives Bob’s message (with Mallory’s bank account details) unaware that it’s been altered, transfers the money and sends a message back to Bob to let him know to expect the money. Mallory intercepts the message back to Bob also and replaces it with a different message notifying Bob that she (posing as Alice) has decided in the end not to buy the phone, but thanks him for his time.
When Mallory sees the money has been credited to the account, she nips down to a cash machine and withdraws the cash.
Alice is left wondering and upset when her phone doesn’t arrive. Bob has no knowledge that money was ever transferred and Mallory sips her Pina Colada by the pool on a nice relaxing holiday paid for by Alice.
When could an attack occur?
Nowadays when people refer to a Man in the Middle attack, they’re probably referring to a form of cyber attack similar to the one described in the scenario above where a user connects to a website in their browser and a malicious attacker manages to intercept that communication flow, often whereby the attacker has taken advantage of a weakness in the website’s configuration.
It’s important to note however that it may not be a user interacting to a website, it could also be a mobile app communicating with a Internet service.
Man in the Middle attacks are not limited to websites or web services. In fact it can be anything communicating with anything, email messages or our good ol’ postal service for example. If you go back far enough to when messages got delivered from one kingdom to another by men on horse back then if that messenger got intercepted en route by the enemy this would also be considered a Man in the Middle attack.
How does it happen?
If the two parties trying to communicate, in our case, Alice and Bob have no way to authenticate each other, or if they do, that system has also been compromised then they don’t have an air tight way of proving their identity, that is, proving they are who they say they are.
If Alice can’t successfully prove to Bob that she is really Alice how does Bob know he’s talking with the real Alice? As in our example, indeed he thought he was talking to Alice, but in fact he was talking to Mallory.
If the integrity of the messages being exchanged can’t be guaranteed then how can either party reliably determine that a message hasn’t been altered.
If Alice sends a message to Bob, unless Bob has some way of proving that the message he’s received is the same message that Alice originally sent it could have been altered and Bob has no way of checking that is the case.
Again in our example, Mallory substituted Bob’s bank account details for her own and then sent the message on to Alice. Because Alice couldn’t check that the message hadn’t been change, she had no way to detect that the account details didn’t belong to Bob.
One thing to note is that you can’t just have one without the other. In either case, the opportunity for a Man in the Middle attack could still exist.
Man in the Middle Attack Prevention
Detecting Man in the Middle attacks can be very difficult so this is definitely a case where prevention is a better approach.
If we go back to focusing on the Internet, it’s best if you can avoid public wifi for accessing private information like your personal email, or accessing services like online banking. If you’re not sure what you think is or isn’t safe, a good rule of thumb could be to ask yourself “would I be bothered if a stranger got hold of this information”. If the answer is yes, then maybe it’s better to wait until you can connect somewhere that you trust.
Trust and being vigilant are two very important attributes to keep in mind generally. There’s a better chance that specific measures have been taken to protect you as the user from Man in the Middle attacks with reputable sites and apps. These protections are usually seen as best practice, if you’re in doubt, you can always contact the company and ask the question, most company’s will be happy to provide you with information on how you are protected.
Always check for a padlock in your browser showing that you’ve got a secure connection to the website you’re visiting. Over half of the Internet is now encrypted so on average you will be protected for the majority of sites you visit.
If you receive a certificate warning error when you visit a site the urge may be there to ignore it. There’s usually a valid and good reason for the warning, so it’s worth taking notice.
A range of useful links for further reading are included below: