MITM attacks and risks

1


MAN -IN- THE MIDDLE ATTACKS AND
RISKS

By

Yusuph Kileo
Abstract: The use of Information and communication technology (ICT) is rapidly
growing; as the ICT usage grows rapidly cybercrime also grows at the same rate.
We witness a lot of cybercrime cases each day giving an example of heartbleed
bug, internet explorer security flaw and mobile phone, online banking frauds to
mention few. All these cybercrimes are facilitated by techniques that allow
cybercriminals to perfume the act. Various techniques to facilitate the cybercrimes
have been discovered by these cybercriminal every day. One of them is Man in
the Middle attacks, abbreviated as MitM attacks that provide ability to
unauthorized individual (an attacker/ hacker) to takeover communication between
two people in order to change, modify or replace the data between those two
people communicating. This paper will look at the major form of the MitM attacks,
the risks of these attacks in our daily life and how to prevent ourselves from the
attack.
Key words ARP spoofing, Eavesdropping, Manipulation, Risks, Man-in-the
middle attacks

MITM attacks and risks

2


Introduction
A man-in-the-middle (MitM) attack occurs when an attacker acting as a legitimate user initiates
independent communication with victims to sniff any information between them. This type of an
attack has great risks to Banks (through online transactions), government organizations and
internet service provider and other individuals.

Fig 1 Demonstration of how MITM attack took place [1]
The picture above shows a simple MitM attack demonstration of how it works. A cybercriminal
can sniff and read all the information that pass through two victims and interpret them, in other
word an attacker gets in control of the whole communication. An attacker also makes the victims
believe communication between them is directly to each other over a secure connection.
MitM attack can either be performed locally or remotely. This makes the attack more
complicated for victims to understand how and when the victims may be under attack. MitM
attack also has been used as the door to performing other attacks such as Script injection, DoS
attack and SQL injection attacks.
There are two main techniques to perform MitM attack known as manipulation and eaves
dropping. Manipulation attack gives ability to an attacker to retransmit the data after receiving
and changing it by injecting new ones. An eavesdropper has ability to analyze and record data
from the victims. A common example used to demonstrate MitM is when an attacker gain access
to wireless network and start reading all network traffics.
MITM attacks and risks

3


Requirement for the attacker to successfully gain access to victims network that is used to
transmit data, an attacker can either directly tap the wire to intercept data transmission or
performing address resolution protocol (ARP) poisoning attack to force traffic through a
malicious devise. ARP poisoning [2] is a technique used by an attacker to send fake address
resolution protocol to LAN that will force network traffic from the targeted host to be sent to the
attacker. This may include user names, passwords, credit cards and any other information needed
by an attacker.
In order for a man-in-the-middle attack to succeed mutual authentication between attacker and
the victim has to take place so that a complete authentication satisfaction from the target is
gained. Secure socket layer (SSL) protocols designed to provide secure communication over the
internet recently fall into a major situation after heartbleed bug being discovered [3].
With the recent discovery of the security vulnerability to the OpenSSL protocols, it believes
attackers not only have ability to user name and passwords but also attacker can use those
gaining as input to initiate MitM attacks. In this paper, description on forms of the MitM, risks
that can be obtained from the attacks, recent cases related to MitM attack and way to prevent
MitM will be discussed. Some useful detailed information on how ARP spoofing works is found
in [4] and what to be done on after Heartbleed is found on [5]
MitM attack techniques
Eavesdropping
This is mostly seen in wireless networks whereby attackers in real time receive all the
information transmitted through a wireless for further analysis. Preventing an attack with the
normal security provided with our PCs can be difficult. However, when an attacker is trying to
view your network you can make it difficult for the attacker to meet the target.
This can be done using the right implementation of security layers such as implementation of
wired equivalent privacy (WEP), a data-link encryption mechanism that was initially intended to
provide security to the wireless network. Unfortunately, WEP vulnerability was uncovered. This
vulnerability increases the risk drastically due to eavesdropping.

MITM attacks and risks

4


POP and IMAP protocols dont have any encryption mechanism for both data transfer and
authentication despite being widely used when accessing mails. Users are then more at risk,
Suggestion to implement WEP2 and WPA instead of WEP were then provided [7]. Additional
security mechanism such as IPsec, SSH or SSL implementation should also be in place to secure
communication while surfing the internet.
In 2014, Transport layer security (TLS) protocol that extends security to the data transferred over
the internet was introduced by CloudFlare [8]. TLS has an additional feature, sever identification
proof and data encryption. So far TLS and SSL which make most of site to be seen as https://
proven to resolve man-in- the- middle attack when certificate authority (CA) system is also
implemented.
CA designed to stop MitM attacks allow sever to keep its key secretly so that an attacker wont
be able to gain the valid certificate. Two possibilities available for MitM attacker to make use of
the certificate, either force sever to sign the invalid certificate or use the invalid certificate.
Modern browser can detect invalid certificates.
Manipulation
Attackers use manipulation to manipulate data on a network as a further step of eavesdropping to
effectively send data pretending to be a victim computer. Attacker with the help of ARP
poisoning, can then change the content of emails, cause Dos Attack, alter instant messages, or
insert new data to database transactions.
Operating systems differ on how they treat manipulation when it comes to ARP. When attackers
try to manipulate ARPs some operating systems do not allow duplicate ARP that are not save in
their ARP table, some accept changes but only when ARP entries have time out and others
accept duplicate ARPs. These are the ones more vulnerable to MitM attacks.
Techniques such as phishing (mostly through mails) and pharming and other have been used,
giving attacker ability to alter financial transaction without users knowledge of what is
happening. Attackers initiate fishing mails to gather information like account number, victims
name and amount of transactions.

MITM attacks and risks

5


MitM risks
MitM attack is very different from normal hijacking attacks because network traffics do not get
interrupted and therefore, risk is high and hard to be noticed. The risks include loosing of money,
jeopardizing individuals privacy and loosing of sensitive information.
MitM took a new turn in 2014 putting the use of internet be more vulnerable to attacks. Recently
report distributed by ITU [9] warns the increase of MitM attacks in 2014. The report gave out
online banking infection statistics that mark 200,000, the highest seen so far. Both computer and
mobile devices are vulnerable to the attacks. Cybercriminal uses malware like PERKEL and
ZITMO to facilitate attacks.
In Feb 2014, Apple issued an alert on MitM attacks putting iPhone and iPod at risks due to the
iOS 7.0.6 security vulnerabilities stated that an attacker with privileged network position may
capture or modify data in sections protected by SSL/TLS [10]. National Institute of Standard and
Technology (NIST) described the bug were resulted by apples vulnerability on secure transport
feature . Apple SSL/TLS key exchange massage provide room for MitM attackers to spoof SSL
using arbitrary private keys.
In March 2014, 300,000 small office and home office (SOHO) were hijacked using MitM attacks
Cymrus Enterprise Intelligence Services (CEIS) white paper reveled. The white paper reported
the victims were in Europe and Asia after the investigation conducted by team Cymrus
Enterprises Intelligence services from January 2014. Technique used by attackers was pharming
allows them to control data and redirect them to their server.
For years, MitM attacks have been challenging mostly to wireless network users and to those
performing online transaction. People lose money each day while performing online transactions,
what happen is that in most cases cybercriminals uses MitM attack to take over communication
when initiated by the user to the site meant to perform transaction. This may be banks or any
other site that sells products or services online. MitM attack has been classified as the most
popular attack whereby cybercriminals alter financial transaction.

MITM attacks and risks

6


MitM attacks extend its wings when fantastico television show from Brazil gives detailed
information about how agencies perform MitM attacks on the internet. This shows that MitM
attack has been in practice from many angels and the risk is high but not detected easily by the
victims.
MitM prevention

Preventing attacks is never easy due to the fact that each day cybercriminals inventing new
techniques to perform cybercrimes. Cybercrime affects both individuals and organizations where
confidential data and other sensitive information are in jeopardy.

There are several mechanisms that can be implemented to help an individual fighting against
MitM attacks. These mechanisms include the use of strong passwords (the ones containing small
latters, capital letters, numbers and characters), avoid connection to open wireless networks and
make sure you use https or TLS whenever surfing the internet.

On the other hand, anti-virus must be kept updated all the time. When banking over the internet
an individual should generate habit of avoiding visiting strange websites. Banks should
implement e-signatures (the ideal security control for fighting against man-in-the-middle) that
verify genuine users and prevents attackers from altering transactions.

Conclusion

There is ongoing efforts and research on this area from various people and there are multiple
writing on the fight against MitM and cybercrime at large. We acknowledge it and call upon
more awareness on the attack to be provided.
Our target is to ensure each individual is aware of this type of rapidly growing attack that has
multiple doors to other types of attack as discussed earlier in this paper. Financial sectors such as
banks being the main target of this type of attack, its time for both customers and banks
implement security controls to prevent this attack as suggested in this paper.

MITM attacks and risks

7


With new vulnerabilities on systems that cyber security experience, giving an example of the
Internet Explorer (IE) and heartbleed bugs which facilitate MitM attacks, cyber defense on the
attacks is still required to be in place. More techniques and ways that will help fighting this type
of crime will be discussed to reduce the crime.
References
[1] Computer Hope's free computer help. 2014. Computer Hope's free computer help. [ONLINE]
Available at: http://www.computerhope.com. [Accessed 22 April 2014]
[2] John R. Vacca, 2013. Cyber Security and IT Infrastructure Protection, 1 Edition Syngress
[3] Krebs (2014). "Heartbleed Bug Exposes Passwords, Web Site Encryption Keys. April, 12.
Krebs on security [online] [Accessed April 21] Available from:
<http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-
keys>
[4] Bruce Potter, 2002. 802.11 Security. 1st Edition O'Reilly Media
[5] Krebs (2014). Heartbleed Bug: What Can You Do? April, 12. Krebs on security [online]
[Accessed April 21] Available from: <http://krebsonsecurity.com/2014/04/http://heartbleed-bug-
what-can-you-do/>
[6] Matthew Barber, 2013. Wireless Security 96 Success Secrets: 96 Most Asked Questions On
Wireless Security - What You Need To Know. Edition, Emereo Publishing
[7] It Came Out of the Sky -- WEP2, Credibility Zero. 2014. It Came Out of the Sky -- WEP2,
Credibility Zero. [ONLINE] Available at: http://www.starkrealities.com/wireless003.html.
[Accessed 22 April 2014]
[8] CloudFlare Blog. 2014. CloudFlare Blog. [ONLINE] Available at:
http://blog.cloudflare.com/. [Accessed 22 April 2014]
[9] Trend Micro (2014).Trend micro security prediction for 2014 and beyond Press release,
issued Jan, 2014.
[10] About the security content of iOS 7.0.6. 2014. About the security content of iOS 7.0.6.
[ONLINE] Available at: http://support.apple.com/kb/HT6147. [Accessed 24 April 2014].