What is a Man-in-the-Middle (MitM) attack?
A man-in-the-middle attack occurs when the communication between two systems is intercepted by a third party, aka a Man-in-the-Middle. This can happen in any form of online communication, such as email, web browsing, social media, etc.
The man-in-the-middle can use a public Wi-Fi connection to either listen in on your conversation or try to inject data into your connection to gain access to your browser or app that is trying to move data, or even compromise the entire device. Once they gain access to the device, the damage they can do is endless; steal credentials, transfer data files, install malware, or even spy on the user.
What are the signs of a Man-in-the-Middle attack?
A few warning signs that you’re at risk of a man-in-the-middle attack include:
- Open / public Wi-Fi networks
- Suspicious SSIDs (Wi-Fi network names) that don’t look right
- Evil Twin Wi-Fi networks, i.e. StarbucksFreeWiFi and StarbucksWiFiJoin in the same location – one might be fake
Once your connection has been intercepted a hacker can inject various things into your device using the connection. Here are some signs your connection has already been intercepted.
- Popups or captive portal pages asking for credentials
- Login pages appear that don’t look legitimate
- Fake software update popups
- Certificate error messages
What causes a Man-in-the-Middle attack?
- Sniffing – hackers use packet capture tools to inspect packets or by using a wireless monitoring device (which is available on Amazon for less than $100), they can see packets that are addressed to other hosts
- Packet injection – the hacker can then also use the monitoring device to inject malicious packets into data communication streams disguising them as part of the communication.
- Session hijacking – If a hacker cannot view your password they can still take over existing session to online services such as social networking accounts.
- SSL Stripping – hackers use SSL stripping to intercept packets and alter their HTTPS-based address requests to go to the HTTP version of the requested site
What’s the treatment?
So you’ve got a man-in-the-middle snooping on your connection, what now?
- Switch off Wi-Fi and use a cellular connection instead
- Switch connection to your corporate VPN is you have one available
- Remove the root CAs from the trusted list that do not belong to websites that you routinely visit
- Watch out for warnings of identity theft and put a fraud alert on your credit account.
How to prevent a Man-in-the-Middle attack?
Since Man-in-the-middle attacks are so difficult to detect, the best remediation is prevention. Stay safe from man-in-the-middle attacks by following this guidance:
- Change the configuration settings so your devices don’t automatically connect to Wi-Fi by default
- Check for encryption – you can tell if a website is encrypted by looking for the https and lock symbol at the beginning of the URL
- Don’t do any banking or enter any account login credentials while connected to public Wi-Fi
- If you must connect to an open Wi-Fi network, have your device ‘forget’ the network so it doesn’t automatically connect
- Regularly check your trusted list for root CAs you don’t recognize
- If you need to do online banking in a public place, switch your phone’s Wi-Fi off and use a cellular connection instead
- Use a VPN when available
No matter how hard you try to educate yourself and your team, it’s inevitable that some attempts will slip through the net. To stay ahead of the attacker, it’s imperative to have a security solution in place which is able to block attacks of this nature. For more information, get in contact with one of our mobility experts today or download our employee protection pack.