Welcome to a third article in the series looking at introductions to cyber security. We’ll be looking at a type of attack which most people will be familiar with in principle, if not in technical practice.
The basic idea is simple – an attacker sits between two trusting parties, intercepting their communication and impersonating each to the other. Obviously this is somewhat harder in practice where people are, for example, sitting in a room together, but even a phone call gives potential for an eavesdropper or impersonator.
Becoming the man in the middle is harder with some technologies than others and hinges on somehow sitting in the middle of the connection. With computers talking over a network a technique called ARP spoofing makes this relatively easy, where the two sides of the conversation are fooled into sending their messages to the attacker’s computer rather than each other. Even when encryption is used each computer believes they are talking to a trusted recipient, so all passwords and keys are assumed to be trusted.
The restrictions are that the attacker must somehow have access to the network between two people, and be able to successfully impersonate them. Where they need to, for example, access an office and plug a computer in there are obvious physical security methods that will help to prevent this (though not guarantee it). Sadly, more and more technology relies on wireless networks instead, where an attacker simply needs to have a malicious node within range, and even where wireless networking isn’t used the tools needed to perform a man in the middle attack are easily and cheaply available.
The WiFi Pineapple is probably the most famous of these, particularly after its alleged use by GRU intelligence units to break into the networks of the World Anti Doping Agency, a nuclear energy company in Pennsylvania, and the Organisation for the Prohibition of Chemical Weapons. You can get hold of the cheaper, smaller WiFi Pineapple shown here for around $100. With a mobile phone and an appropriate USB cable it’s perfectly possible to then sit in Starbucks and intercept the network traffic of everyone around you.
Another popular tool, more for cabled networks, is the LAN Turtle shown here. Essentially it’s plugged into the back of a computer USB port, a network cable plugged in, and unless it’s discovered an attacker then has their own hostile computer on the network – almost invisible unless detection keys are used. Available on Amazon for about $50.
Of course neither of these will help with mobile phone networks – for that a Stingray device, for years a top secret, is more effective. A professional Stingray device comes with all sorts of restrictions, and high pricing. Building your own involves some knowledge, a laptop, about $20 of parts (available on Amazon), and a half hour of time.
Finding and Beating the Man in the Middle
There are ways to beat the man in the middle, of course. Website certificates are becoming more and more common every day and go a long way towards at least warning users – though it’s far too common for people to simply click through and ignore the security warnings now built in to most browsers. Since the attacker can put up their own false certificates, or simply strip certificates out of the equation entirely, it’s important that training on how website certificates work, what to look for, and what errors mean, is made available. In theory at least a certificate is only issued to people who can prove that they own the website it’s used for, and mostly this theory holds true.
A first check is to make sure the certificate is valid – normally you will be warned if it isn’t
You can see that the certificate was issued to the site it’s being used for – it’s now down to whether or not you trust that the issuer checked who they were granting it to, and that no one has managed to steal their signing certificate
Certificates aren’t so helpful if you’re concerned about a phone call or text message being intercepted though. Luckily there are a lot of solutions to provide encrypted calls, chats, and text messages, varying in price and trustworthiness. WhatsApp is one of the more popular ones, though there are some serious security concerns being raised around it.
My personal preference for both price (free) and effectiveness is a system called Signal (https://signal.org/), which works on Android and iPhone as well as desktop, provides end-to-end encryption for text messaging, and covers phone calls. One important feature provided is so-called ‘Safety Numbers’, essentially a password you can exchange in person or through some other mechanism to confirm that the phone at the other end is the one you’re expecting – anyone attempting to hijack the communication after a number has been verified will alert you that the number is being changed. Of course, many others are also available.
Hopefully you’ve found this useful. Next time we’ll be looking at the supposed Internet of Things, smart devices, and how they can be turned against their owners.
The Man in the Middle – Intro to Cybersecurity Part 3
By: James Bore
James Bore is a cybersecurity ‘Jack of all trades’ by vocation and choice. In over a decade he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he works for an entertainment and hospitality company, and in rare spare time runs a blog on cybersecurity https://coffeefueled.org