A fair number of security advisories mention Man In The Middle (MITM) attacks. It’s quite an evocative phrase, but it’s a phrase meant mainly for the infosec community; it doesn’t help your typical end user understand the risks.
So what is a MITM attack, and how can I avoid becoming a victim?
Before we get into technology let’s look at something we all know about; the boring snail mail postal system. You write a letter, stick it in an envelope, drop it in a postbox and then sometime later it appears at the recipients house.
In that travel many people may touch the letter; the postman who takes it out of the postbox; all the people at the local post office who sort it into local delivery or forward it to the regional hub; the sorters at the regional hub and many other hubs, to the recipient’s local post office. If you send a postcard then anyone at these places could read your words, or even change them. All of these people are potential MITM attackers; they sit in between you and your recipient and can do nasty things.
So we put stuff inside envelopes and hope no one steams open the envelope and reseals it afterwards. This isn’t even a new problem, and is one reason why [Wax seals](https://en.wikipedia.org/wiki/Seal_(emblem%29) were popular to provide evidence of tampering.
So what does this have to do with the internet and technology?
When you talk to a webserver the data you send travels somewhat like your traditional letter. It goes from your PC to your local router, from there to your ISPs router, then across various other routers to the webserver’s local gateway and then to the server. At each point the traffic could be snooped upon or modified. Even worse there are effectively invisible points in between (switches, hubs, bridges etc) where traffic can also be spied upon.
Now in reality the majority of this “backbone” is pretty secure. Major ISPs, just like your post office, really try hard to stop traffic from being stolen. But just like postal workers have stolen, it is possible for this backbone infrastructure to be compromised; even from the outside.
Slightly annoyingly, some ISPs deliberately MITM consumer connections to insert adverts into the browser; Verizon have added tracking cookies on their mobile network.
Depending on where you are, ISP level MITM attacks may not be a great risk. (At least if you ignore FBI, NSA et al!). But some places may be more risky; China and North Korea can be pretty much guaranteed to be MITMing traffic.
But if this was the only problem then a MITM attack wouldn’t be big news. Fortunately the solution to the bigger risk can also help here.
A bigger risk
The greater risk is closer to you; how you connect to the network.
Are you connecting from an office? If so then you are likely to be connected to a switch, rather than directly to a router. In the old days this would have been a hub and every one of your co-workers on the same hub could see your traffic. With a switch it’s harder for them to see it… but some switches can forced to drop back to hub mode. Or your co-worker could send proxy ARP requests to make your machine think they are the default gateway server. Or even tamper with the wiring!
Do you have to go via a proxy server to reach the internet? That proxy can see your traffic and so any admin on that machine could see it.
Are you at home sharing your network with flatmates? They might be able to see your traffic.
The traffic between your router and your ISP is probably secure (e.g encrypted by DOCSIS cable modem standards, or via dedicated lines), but is your router or cable modem secure? A lot of home routers have security holes or backdoors, even as simple as having a default admin password and the admin user interface being exposed to the internet.
The server you talk to also have some of these endpoint risks… but major players (Google, Microsoft, Twitter, Facebook, etc etc) work hard to ensure their links to the ISP are secure. Small self-hosted websites (this one!) may be at risk (do I trust linode or Panix to not break my traffic?)
Then there’s the really big risk case… free public wifi. You might think that it’s nice to be able to go Starbucks and use their WiFi. But are you using their WiFi? Or someone else’s WiFi that pretends to be the Starbucks access point?
This WiFi risk is, in my opinion, the greatest of the MITM attack vectors. You can be sitting, sipping your coffee, and having all your internet traffic being inspected. Passwords you type in might be taken. And all this is automatic. It doesn’t require “l33t hax0r sk1llz”; you won’t see a dingy drugged out looking guy furiously typing on his keyboard; it’s invisible.
So how do I defend myself?
Ensure your router is secure; disable any external admin interfaces, change default passwords, apply the latest firmware.
Encrypt your traffic where possible.
If you go to a web site, get into the habit of typing
https://in front of the URL. Perhaps consider a tool such as HTTPS Everywhere to help with this.If you have configured your mail client to connect via IMAP or POP then make sure the use encryption options are ticked.
If you use a chat application then turn on encryption (ideally full end to end encryption, if supported, but even encryption between you and the chat server is better than no encryption).
Do not let your machine connect to public WiFi points automatically; yes, it’s nice to say “automatically connect to Starbucks” but this allows people to create a fake Starbucks access point anywhere and your phone may connect to it, even while still in your pocket, and any unencrypted communication may be stolen… even when you’re nowhere near a Starbucks!
If you can, consider using a VPN. This can automatically encrypt all
your traffic. Even with https and encrypted connections a MITM attacker
may still be able to learn some information (e.g. you did a DNS lookup
of www.myexamplebank.com; it’s possible that’s who you bank with!).
A VPN can hide even this information.
Use a unique password for every site; even if you’ve tried hard to protect against MITM attacks some information may leak out. If someone manages to steal your Facebook password then they can’t use it to login to your bank. A password manager like 1Password can help here by generating complicated unique passwords. (This is a good thing to do anyway for more than just MITM reasons!). Personally, I use KeePass in its various forms.
Anything else?
I’m sure I’ve missed out some other ways MITM attacks can happen, and ways we can defend ourselves. Please drop me a comment if you have any advice that can be added!