Understanding Man-in-the-Middle attacks and How to Prevent Them (WK 5&6)

Tl;DR: Man-in-the-middle attacks have been around for a while and are still a popular form of malicious attack. But they are easy to prevent if certain steps are taken to combat them.

            The man-in-the-middle attack has been around for quite some time. The concept was first mentioned by Dr. Leslie Lamport in article he wrote in 1981 titled “Password authentication with insecure communication” (Lamport, 1981). The MITM attack consist of the attacker placing themselves in the middle of two parties and intercepting the communication between the two. This is the most challenging part of this attack.

How the Attack is Performed

While there are many ways to perform a MITM attack, this article will focus on how the attack is performed on Wi-Fi. The MITM attack is easier to perform on a Wi-Fi access point that is open to the public, due to multiple users connecting to it. To perform the attack, a laptop and Wi-Fi pineapple nano, or similar device is needed. The attacker has to do some prep work before performing the attack on a public Wi-Fi access point. The MITM attack involves creating an evil twin access point and then forcing the target to disconnect and then connect to the evil twin access point.

            For instance, let’s say that the name of the Wi-Fi access point is “Harry & Mae’s Wi-Fi” with a MAC address of 60-35-EC-4D-C4-41 and is broadcasting on channel 6. The attacker would have to clone the MAC address of Harry & Mae’s access point and then create an evil twin access point with same name, but broadcasting on different channel that doesn’t overlap the original. Next, the attacker sends deauthentication frame to the access point to drop all or a specific target from the access point. Then the attacker launches their evil twin access point and hopes that the target connects to their access point instead of the original access point.

The man-in-the-middle-attack is used to collect sensitive information that is exchanged between two parties. The perpetrator can insert himself in between the two parties and intercept any information that is being sent between them before forwarding the information on to the intended receiver. By intercepting packets that are sent between the two parties, the perpetrator can collect the data from the packets or change the data. The attacker can intercept information such as usernames, passwords, pictures, and VIOP messages.

            Another way to conduct a man-in-the-middle attack is to simply create an open Wi-Fi hotspot in a public place and wait to see who connects. An example of this would be if an individual is in a coffee shop and they want to surf the web while they wait for their order to pass the time. Most people don’t pay close attention to what networks they are connecting to, if the name of the Wi-Fi network matches the name of the place that they are in, then it must be legit. The individual connects to the malicious access point and goes about their business without even a second thought about what they have just done. This should come as no surprise considering the statistics concerning how individuals view public Wi-Fi. A study conducted by OWI Labs showed that 81 percent of Americans “turn to public Wi-Fi either on occasion or regularly”(Hughes, 2018). That same study also revealed that only 18 percent never use public Wi-Fi and only 1 percent use a VPN when using public Wi-Fi. Considering these statistics, it’s understandable why this type of attack is popular among malicious attackers.

How to Protect Against a Man-in-the-Middle Attack

            After reviewing how the attack is performed and the statistics of public Wi-Fi use, next we will focus on how to prevent a MITM attack. Some of the more educated readers of this blog post may already thinking that HTTPS is the kryptonite to defeating MITM attacks, to an extent, they are correct. But HTTPS is only effective in combatting MITM attacks if it is implemented properly. The key to making HTTPS effective at combating MITM attacks is by also implementing HTTP Strict Transport Security (HSTS).

            According to Netcraft, an internet security services company, “Only 1 in 20 HTTPS servers correctly implements HTTP Strict Transport Security, a widely-supported security feature that prevents visitors making unencrypted HTTP connections to a server”(Mutton, 2016). The reason that HSTS is important to implement is because it forces web browsers to communicate over HTTPS and rejects requests to use HTTP. But this isn’t the only type of protection an individual can employ to prevent MITM attacks.

            One of the best ways to combat MITM is through the use of a VPN. Sadly, as mentioned earlier, not enough people utilize a VPN when they are on public Wi-Fi. This simple and easy to use service could prevent many of the MITM attacks and save individuals from having their personal information stolen.

So, why aren’t more people using HTTPS and VPNs? Unfortunately, many are unaware of these technologies and how they work. This is where more education is needed in order to inform public Wi-Fi users on how to protect themselves while on public Wi-Fi and from MITM attacks. One way to reach the public and inform them on how to protect themselves while on public Wi-Fi would be a marketing campaign that could target and educate these users. Unfortunately, that seems very unlikely to happen due to the amount of money that would need to be spent. In the meantime, we can all do our part by utilizing these tools ourselves and offering our knowledge of these tools to those that are around us. By doing this, we can all make an effort to prevent these types of attacks from happening.

To view a basic demonstration of an Evil Twin and MITM attack, please view the videos below.

Evil Twin

Man-In-The-Middle Attack

Sources

Dolly, J. (2018, January 9). Why you should never, ever connect to public WiFi. Retrieved April

9, 2020, from https://www.csoonline.com/article/3246984/why-you-should-never-ever-connect-to-public-wifi.html

Hughes, N. (2018, June 28). Despite security risks of free public Wi-Fi, 81% still connect to it,

OWI Labs survey finds. Retrieved April 8, 2020, from https://oneworldidentity.com/despite-security-risks-free-public-wi-fi-81-percent-still-connect-owi-labs-survey-finds/

Lamport, L. (1981). Password authentication with insecure communication. Communications of

the ACM, 24(11), 770–772. doi: 10.1145/358790.358797

Mutton, P. (2016, March 17). 95% of HTTPS servers vulnerable to trivial MITM attacks.

Retrieved April 9, 2020, from https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html