What Is a Man In The Middle Attack

A man-in-the-middle attack (MITM) is a widespread type of WiFi security vulnerability. In this type of attack, an attacker intercepts data passing between two devices but lets them believe that they are still communicating directly (and securely) with each other. Both parties think that they are communicating securely with a remote server, but in fact, all of this traffic is passing through a ‘man in the middle.

Try PureVPN 31-Day Money-Back Guarantee

How Does MITM Attack Work

There are typically two stages to a Man In The Middle: interception and decryption. Your vulnerability at each step will depend on what security measures you have in place.

Interception

The first step in setting up a man in the middle attack is to intercept data passing between a victim and their network. The easiest and by far the most common way of doing this is to set up an unsecured Wi-Fi hotspot and name it according to its location. Unsuspecting users will then connect to the network, thinking it is legitimate, and the attacker gains access to all the data passing through the router.

There are also many more sophisticated methods for intercepting network traffic, such as IP, ARP, or DNS spoofing. See below for details on these types of attack.

Decryption

Once an attacker has intercepted network traffic, the next stage is to decrypt the two-way SSL traffic. This is done using a variety of methods.

Using HTTPS spoofing, an attacker may send a fake security certificate to a victim’s device. This makes it appear that any sites the victim visits are secure, whereas, in reality, the attacker is collecting any information entered into them.

SSL BEAST is a method of decryption that makes use of malicious javascript to intercept encrypted cookies sent by a web application. A related technique is to use SSL hijacking, where an attacker sends forged authentication keys to both the user and the web application. This sets up a connection that appears to be secure to both parties but is controlled by the man in the middle

A more direct approach is to use SSL stripping. An attacker will downgrade a victim’s connection from HTTPS to HTTP, and send an unencrypted version of any site they visit while maintaining a secure connection themselves. As a result, a user’s entire session is visible to the attacker.

What A MITM Attack Can Lead To?

The consequences of a MITM attack can be severe. A successful attack can give an attacker access to everything you do online, including all your passwords, anything you have in cloud storage, and even your banking details.

The objectives of a MITM attack are generally focused on two things:

Data and Identity Theft – because a MITM attack gives a hacker access to all of your login details, a successful attack can be used to steal your identity. An attacker can eventually compromise all of your accounts, and use your identity to make purchases, or simply sell your personal details on the Dark Web. Even worse, each of your accounts likely holds personal or sensitive information that can be stolen.
Illicit Fund Transfers – Hackers are generally interested in one thing: money. After performing a MITM attack, it is relatively simple for a hacker to steal funds. This can happen in a variety of ways. If your online banking details are compromised, it is a simple matter of transferring money out of your account.

A more sophisticated technique is to uses a MITM attack to get corporate banking details. If, for instance, a colleague asks you to send them the details of a company account, and you are the active victim of a MITM attack, a hacker can switch the details you send for those of their own accounts, and your colleagues will then transfer money to the hacker.

MITM Attack Variants

An attacker can make use of a number of vulnerabilities to intercept and read data as part of a Man In The Middle. Because of this, man in the middle attacks can be classified according to which piece of software has been compromised.

In a man in the browser attack, for instance, an attacker will compromise a web browser, and use this security hole to listen in to communications. In this type of attack, malicious malware is used to infect a user’s browser, which will then pass information to an attacker.

This type of attack is typically used to commit financial fraud by manipulating online banking systems. By intercepting a user’s login details, an attacker can gain access to a victim’s account, and quickly transfer money out of it.
Another variant of the Man In The Middle is a man in the phone attack. Given the massive rise in the use of smartphones, and particularly their popularity for accessing online banking services, it was only a matter of time before attackers started targeting them with malware.

Like other forms of MITM attack, in this type of attack malware is loaded onto a smartphone, and this can defeat all but the most advanced security measures. This means that an attacker can access all of the information passed from the smartphone to the network, including personal and financial details.
Another relatively new form of MITM attack is the man in the disk attack. This makes use of the fact that some Android applications are a little sloppy when it comes to the way they work with External Storage.

By loading malicious code into the External Storage of a phone, an attacker can shut down legitimate apps, or even make Android crash, and this opens a door for the injection of further code that will run with unsafe privileges.

Types of Man In The Middle Attack

The typical man-in-the-middle also makes use of many techniques to intercept data and to decrypt it. The most common methods are:

DNS Spoofing

DNS Spoofing is a method that takes advantage of weaknesses in the Domain Name Server (DNS) system. This is the way that your browser finds the websites you request, and it does this by looking up their IP address in a list that sits on your Wi-Fi router. By altering this list, an attacker can re-direct you to a website that looks legitimate but is controlled by them. Any information you enter into the spoof website will then be collected for future use.

ARP Spoofing

ARP spoofing is a similar technique. Using this method, an attacker will disguise themselves as an application by altering the packet headers that come with an IP address. This means that when a user attempts to access a web application, they will be re-directed to a fake version of it that is controlled by the attacker.

Wi-Fi Pineapple

Perhaps the simplest way to implement a man-in-the-middle is to make use of Rogue Access Points. These are routers (called access points in the industry) that look like they provide legitimate networks, but are “fake,” unsecured networks controlled by an attacker, who can then listen in on them. In recent years, a popular way of setting up these networks has been to use a Wi-Fi Pineapple: this is a small device that operates as a standard Wi-Fi router but has a much broader range.

Evil Twin Attack

An Evil Twin attack is also seen quite often. In this form of attack, a fraudulent server is set up, and users are invited to log in to it using details that can then be stolen by the owner of the server. This type of attack is essentially the Wi-Fi version of a standard phishing scam, a technique for intercepting computer communications. The name of this kind of attack comes from the fact that the user believes that the server they are accessing is legitimate, when in fact they are connecting to its ‘evil twin’.

Man In The Middle attacks are a relatively common, dangerous type of attack. Because of this, you might think they have only been used with malicious intent. Though the majority of MITM attacks are used to steal data and compromise a victim’s system, there have been times when a MITM “attack” has been used for more innocent ends.

The most famous example of this concerns a Wi-Fi router sold by Belkin a few years back. The router would periodically intercept HTTP data being passed through it, and act as a man in the middle. Instead of passing on the traffic to the desired server, the router itself would pose as a server, and deliver an advert for another Belkin product. Belkin sending ads to their customers might sound pretty benign, but the idea of using MITM attack methods (if only to post annoying ads) led to an outcry among those who realized what the router was doing. The ‘feature’ was then quickly removed in a firmware update.

A more severe example of a MITM attack was discovered in Nokia’s Xpress Browser in 2013. Investigators found that the browser was decrypting HTTPS data, and storing this on proxy servers owned by Nokia. In principle, this gave Nokia access to its users’ encrypted data, though Nokia later claimed that there were strict protocols in place to prevent staff accessing and using this data.

Perhaps the most significant MITM attack, though, was implemented by the US National Security Agency (NSA). The documents leaked by Edward Snowden back in 2013 suggested that the agency occasionally posed as Google to gather information on its targets. Though this was hardly the first time that the NSA had used controversial methods to collect data, and though this was not even the first time that an attacker had impersonated Google, the scale of the attack came as a surprise.

Man In The Middle Attack Prevention

How can you avoid becoming the victim of a man-in-the-middle? Though this attack type is quite common, there are some simple steps you can take to reduce your vulnerability.

Strong Encryption

The encryption scheme you use fundamental part of your Wi-Fi security setup and provides a good level of protection against MITM attacks. As wireless technology has advanced over the years, ever stronger encryption protocols have been released, but not all Wi-Fi routers (called access points in the trade) have been upgraded to use them.

You should use a robust encryption protocol on any networks you are responsible: preferably WPA2 alongside AES, which provides the highest levels of protection. Strong encryption makes it much more difficult for an attacker to gain access to the network by just being nearby, and also limits the efficacy of brute-force attacks.

VPN can prevent a man-in-the-middle attack

Protection strategies against MITM attacks include installing a VPN on mobile devices and on the home router. A VPN client will sit on your browser or your OS and use key-based encryption to create a subnet for secure communication. This means that, even if an attacker gains access to this data, they will not be able to read or alter it, and so they will not be able to start a MITM attack.

There are lots of different VPNs to chose from, but you should always go for the VPN that provides the best security and the most robust encryption. Choosing anything less, after all, is like wanting to open yourself up to MITM attacks.

Secure Your WiFi 31-day money-back guarantee

Force HTTPS

HTTPS is a system for communicating securely over HTTP by using a private-public key exchange. This technology has been around for years now, and so every site should be using it, but this is not the case. Some companies even provide two versions of their main site, one secured with HTTPS and one left open with HTTP, allowing users to open themselves up to attack by accident.

Thankfully, there is a way around this problem. You can easily install a plugin for your browser that will force it to use HTTPS on any sites you visit, and give you plenty of warning if this is not available. This way, even if an attacker gains access to your network, they will not be able to decipher the data you exchange with it, and so will not be able to launch a MITM attack.

Public Key Pair Based Authentication

At a more technical level, it is also possible to use a public key pair based authentication system like RSA to authenticate the machines, servers, and applications you are connected to. Since the majority of MITM attacks are implemented by spoofing something, whether this is a redirect to a fake website or impersonating a web application, requiring all levels of a stack to authenticate using public keys can ensure that the only entities connected to your network are those that you want.

Conclusion

Man-in-the-middles are some of the most common forms of cyber attacks and can have significant consequences. By implementing this type of attack, an attacker can steal sensitive information, including authentication details, that can quickly compromise entire systems. Even worse, such attacks are typically persistent, allowing an attacker to collect data over a long period, and are often not detected until long after they have happened.

Limiting your vulnerability to MITM attacks can be done in some ways. Firstly, it is important to realize that the majority of attack vectors for MITM attacks rely on some form of spoofing, whether this is an attacker’s machine pretending to be a server or a fake website that claims to be the real thing. On the most basic level, then, avoiding MITM attacks requires a high level of vigilance. In short, if a Wi-Fi network or website looks suspicious, trust your instincts and don’t share any information!

Another effective way of limiting your risk to MITM attacks is by encrypting everything you do online. This means using the most robust security protocols on your home Wi-Fi router and should also include the use of a VPN with the highest level of encryption. Encrypting everything means that, even if an attacker can intercept your communications, they will not be able to read or alter them, and so will not be able to launch a MITM attack.

Here are some more guides on WiFi Threats:

Take a look at our other guides to ensure you can spot other types of attack.

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.