What you need to know about ‘man in the middle’ attacks

If we ever share a WiFi network, chances are I can intercept what you’re doing.

‘Man in the middle’ attacks have been around for about as long as the Internet itself, and so those familiar with network security will already be well aware of the threat posed by ‘ARP spoofing’ or ‘poisoning’. The thing is, most people aren’t familiar with the basics of protecting their communications online, and even those who are don’t always take the precautions that they know in theory they should be.

The protection of private information, and ensuring data integrity has recently been thrown into the spotlight more than ever before, thanks to the ongoing revelations that show the mass interception of data by organisations such as the NSA. On top of that, the massive proliferation of devices that we carry around everywhere that are able to access the Internet has meant that we now have a whole new dizzying array of ways for others to access our data without our knowledge or consent. Arguably, these mobile devices are even more at risk of security vulnerabilities because of their tendency to default to insecure, public wireless networks. Specialists at the computer security conference DefCon recently warned that we could be yet to see the worst, or most sophisticated of these attacks, but the fact is that there are simple, and well known tools freely available on the Internet that allow anybody with basic technical knowledge to interfere with your connection whilst on wireless networks. It’s worth having a look again at what we can do to guard against this happening

Wifi Pineapple What is a ‘man in the middle’ attack?

Without going into the technical details of how these attacks actually work, a ‘man in the middle’ attack essentially stick their hand up first when your device is looking for an appropriate router to connect to, and pretends to be where you actually want to gain access to.

Essentially, instead of connecting to the network through the route you might expect (like a wireless router) you get redirected via another device first. This means that all of your traffic is flowing through an additional step before getting onto the Internet, and allows anybody in control of that piece of equipment access to it.

This is incredibly easy to do, there are many real world examples of this in the field. One of the more infamous comes in the decidedly fruity shape of the ‘WiFi’ pineapple… a rogue device that convinces network traffic to connect to it rather than the intended, legitimate source. However, even this is bulky in comparison to the possibilities that are now on offer through mobile phone apps… which are harder to find or identify if they are ever detected.

What are the dangers?

It should hopefully be pretty obvious why you wouldn’t want wee Davey sitting in the corner of Starbucks intercepting everything that you’re doing online, but even if you’re not all that concerned about anybody knowing which websites you visit and when, there are other, more potent dangers that the man in the middle poses.

Denial of Service

Finding Internet speeds too slow on a shared network connection? Not a problem for the man in the middle! As their device is acting as an intermediary checkpoint between yourself and the glorious open highways of the Internet, then they can simply… refuse to let you go any further. After convincing all of the devices on a network to use it as a gateway, those making use of this tactic can deny every single one of them access, and make use of the entire bandwidth available on that connection themselves. In effect, the man in the middle has a master switch to your use of any network you both are trying to make use of.

Nyan CatURL Redirection/DNS Spoofing

Really like NyanCat? What about 80s pop sensations? Probably just as well, as redirecting every page you try to visit to these websites is a particularly favourite past-time of the mischievous man in the middle. Oh those tricksters!

This might sound harmless enough, but is actually just a tame example of what is actually possible with this sort of technology. Imagine that instead of checking out the BBC News website, you were actually logging in to your online banking account, and were instead nefariously redirected to an identical looking page that was actually run by the attacker – completely unbeknownst to you….

You can see the problem here.

SSL Stripping

‘Psht, so what?’, I hear you cry! ‘I always use SSL when I’m logging in anyway.’

Sorry, but in practice, this alone doesn’t make a whole lot of difference when it comes to man in the middle attacks.

For those not familiar with what SSL (or Secure Socket Layer) means, it is essentially what the little padlock displayed by the browser when you’re online (usually making a payment) represents. This means that all of the traffic between you and that website, at that point, is encrypted. Even if somebody is monitoring what you’re doing remotely, then they can’t see any of what you submit.

So… problem solved?

Not quite.

Whilst SSL is widely used for financial transactions (such as over PayPal), in practice, it’s far from perfect. Many websites still do not offer SSL connections by default, requiring you instead to specifically turn them on. Many simply require encryption for the login process, and not anything afterwards (which we’ll get to in the next section). Even those that do default to a secure connection, often still run the insecure service as well. It wasn’t too long ago that Facebook were operating precisely in this fashion.

Since most people take this for granted, it is fairly easy to redirect a computer under the spell of this sort of poisoning attack to the non-SSL version of a website, without it ever occurring to the user to check.

Man in the Middle AttackSession Hijacking

Ahhh, session hijacking. That old favourite!

Ever left your Facebook profile logged in on a friend’s computer, only to return home and find some oh-so-hilarious status update that they’ve chosen to ‘frape’ you with?

Imagine this, but with people you don’t know, and without ever logging onto their computer… and you’ve got the gist of session hijacking.

When you login to a website, it remembers who you are for the duration of that ‘session’. This can be for varying lengths of time, depending on whether you decide to have them ‘keep you logged in’ or not, and can use different mechanisms for doing so, but the details are largely unimportant. What matters is, when these sessions are not secured, anybody with access to the flow of traffic can reach in, and pick up where you left off. Logged into Youtube recently? Nice… So has the man in the middle! At the time of writing, Youtube does not default to SSL connections, and so dropping in to read your messages (or worse) is as easy as walking through an open door.

How can I protect myself?

Without a doubt, these attacks are something that everybody should be aware of, but most people aren’t – partly because of the technical nature of the problem. However, there are some simple things you can do to avoid this type of attack.

HTTPS Everywhere

HTTPS Everywhere is a plugin for Google Chrome and Firefox which automatically forces the browsers to go to the secure version of a website where available, and send all of the traffic over SSL. No need to fiddle about with the settings of individual settings on different services, or working out where offers SSL and where doesn’t. HTTPSEverywhere does the work for you.

Tor Project LogoUse an encryption service

There are various different services that you can use to route all of your network traffic through that will prevent the man in the middle from being able to simply intercept your data like in the above explanation. If configured correctly, it won’t matter whether a website has SSL enabled or not, the attacker using this method won’t see anything but scrambled information.

The ‘Tor’ service is free, and will effectively anonymise your activity online – but can have a significant effect on the speed of your connection. Whole academic papers can (and have been) written on what Tor is, and how it works, so see here for a good introduction.

A good quality VPN service will encrypt all of your network traffic when configured correctly, with no meaningful impact on your connection speed. It’s also a quick and easy way to bypass local network restrictions, such as the upcoming proposed UK Internet filter. Premium services aren’t free, but there are alternatives available. I’ve written in more detail about VPN in the past, so check out this blog post for more information.

Both Tor, and VPN services can be used on your laptop, desktop, or mobile devices.

Further Securing against the man in the middle

Using an encryption services will keep the data you transmit over a network secure, which is the primary concern of man in the middle attacks. However, they won’t necessarily stop the denial of service attack that was explained above. Whilst there isn’t many, there are a few utilities that Android, Windows, and Mac users can make use of to kill off an attempt completely, or at least be notified of it happening. If anybody is aware of any other effective utilities – especially for Windows/the iPhone – please get in touch!

DroidSheepGuardOne of the highest rated is for Android phones is: WiFi Protector. As well as blocking against common man in the middle attacks such as session hijacking, it appears to manage to also protect against attempts at denial of service. At the time of writing, this is only available for users who are familiar with the technical side of phones (e.g. those who have their device rooted), and can be found at the XDA-Developer forum.

Again for Android, DroidSheep Guard is a free app that alerts of possible man in the middle attacks, and is available in Google Play. This is one of the easiest to use, with one of the nicest interfaces that I’ve come across. Always a bonus!

Mocha is a small tool for Mac users that will run in the background and alert you to any changes to the network configuration that may suggest a man in the middle attack. If you are connected to a WiFi hotspot and the physical address (MAC address) changes, it is possible that someone is attempting to redirect your traffic via their device. (Note that this will not work if you connect to a new hotspot which is already subject to ARP spoofing). It can be found via MacUpdate here.

CUTe ARP Protector is a tool for the more technically minded, and is available for Windows on their own website. Another useful Windows tool that has both free and premium versions is XArp, or ARP AntiSpoof (Windows/Linux).

Be vigilant

There is no single way to completely prevent man in the middle attacks from impacting your network connectivity. Most of the advice that is given from people who skim the surface of this topic boils down to “don’t use open wireless networks”. Uhh, right. Nice idea pal, but not a practical reality. As we rely more and more on disparate WiFi networks, we all need to be aware of the dangers of insecure communications, and take steps to reduce the risks. These aren’t limited solely to open networks, but any that are shared – such as in a workplace or University. Just because they are secured with a keyphrase, doesn’t mean they are any more secure than a public hotspot in an Internet cafe. Some types of wireless network are more secure than others, but it’s up to you to ensure the integrity of your own data.

If you only do one thing after reading this blog, then sign up for a VPN service and start using it on shared networks. Make sure you check that you’re connected to websites in SSL when you expect to be, and if something doesn’t seem right, disconnect and login somewhere else. It’s a first step towards keeping your personal information safe.

man in the middle, and wifi pineapple images by Nadine KhatibAmor Group


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s