The man-in-the-middle attack is an appropriate term for this type of attack. The network traffic is routed through the attackers machine and the hacker can see unencrypted data as it passes through.

How does man-in-the-middle attack work?

The Man-in-the-Middle attack works by having the attacker inject their machine between two devices that are communicating with each other. Those two devices will send all of their packets to the attacker’s machine and the attacker will usually route the communication to the destination machine after sniffing out the contents of those packets.

ARP (Address Resolution Protocol) Poisoning

In a typical network, devices communicate with each other. They know the other device’s IP address, but they don’t know how to locate the other device. For example, let’s say that a device like a laptop is trying to communicate with a router. To get the routers location, the device needs the router’s MAC address. The MAC address is the physical address of the device.

The device will first look at its internal ARP cache to see if the router’s MAC address is located in there for the IP address that it’s providing. If the device cannot find a matching MAC address, the device will send out a broadcast signal on the network to all of the devices asking for the MAC address from the matching IP address. The device, in this case the router, will respond with its MAC address since its IP address is a match. As soon as the MAC address is received, communication between the two devices can occur. The device can now store its IP Address to MAC address association in its ARP cache.

How does the poisoning work in this instance? A device we’ll call Attacker, is connected to the network that communicates with the router and another device, we’ll call Victim. The Attacker first contacts the router and states that its IP address is that of the Victims. It then contacts the Victim device and states that it’s really the router. The Attacker device is now between the router and the Victim device. Any time that the Victim sends data to the router, it’s actually sending it to the Attacker device. The Attacker device grabs all of the network traffic and forwards it to the actual router. Once a response is sent to the router, the router sends it to the Attacker device, which again has access to the data. The Attacker device then sends the data back to the Victim.

Once configured, software like Wireshark can be used to sniff out all of the network traffic.

WiFi Eavesdropping

Mike visits a place that offers free WiFi. He creates a hotspot that allows users to connect to. He also starts running his network sniffer. Jeff connects to Mike’s hotspot and visits a few HTTPS enabled websites. As long as he keeps visiting secure websites, the network sniffer will not be able to pick up unencrypted data. As soon as Jeff visits a website that’s unencrypted, the network sniffer picks up on all network traffic going back and forth, including any usernames and passwords that might have been entered.

What makes this particularly scary is that a user might have connected to a legitimate free WiFi network before. If the user’s device is set to “auto-connect” to a previously visited network, it will connect to a malicious WiFi network that has the same name as the non-malicious one.

How to detect a man-in-the-middle attack?

Detecting MITM attacks can be notoriously difficult. If you’re experiencing network constant network disruptions, it could be a symptom of a MITM attack. Look out for strange addresses in your browser’s address bar and fake certificates since these are commonly sent by the attacker to trick you to enter your legitimate data or download malware.

Packet inspections using network monitoring tools is something that businesses should look into. Certain MITM detection systems can be put in place to disrupt MITM attacks, often sending fake information to the attacker. Read More.

Best practices to prevent man-in-the-middle attacks

First one is simple. Do not connect to networks that you do not know, and be careful connecting to networks that you do know. Connecting to free WiFi networks is asking for trouble.

If a connection is made out of necessity, make sure that you only visit websites over the HTTPS protocol. Your encrypted data will still end up on the hacker’s machine, but at least it will be encrypted.

Using a secure VPN can help. The tunnel is encrypted and all traffic is routed through that tunnel. If you need to use another network, a VPN is highly encouraged.