There are many cyber threats out there. Usually, they’re motivated by money or political gain, but it can also be simple mischief. However, motivation is of little significance when your business is under attack. What matters most is containing the damage and preventing the next attack. As businesses are growing increasingly dependent on wireless and cellular connectivity, while data privacy regulations are mounting, preventing attacks is simply more cost-effective than recovering from them.
One of the oldest and most prevalent types of attacks is snooping, or their evolved version – Man-in-the-middle (MiTM) attacks. MiTM attacks leave our data, devices, and lives open to exploitation. This is increasingly critical in today’s world as more and more devices come online.
What are Man-in-the-Middle attacks?
Everything from our doorbells to our cars is connected and susceptible to MiTM attacks. Imagine someone suddenly taking control of your car while you are driving. Or someone tracking your location to ensure your home is empty when they break in to rob it while transmitting false data to your home security system.
On a larger scale, significant segments of the infrastructure that we rely on as a society today are also connected to the internet. This means that critical services like transportation, energy, and hospitals are at risk from malicious MiTM attacks that can cause disruption with catastrophic results.
In a MiTM attack, a signal between two parties is intercepted (the “man-in-the-middle”) and replaced with another, fraudulent signal.
MiTM attacks are nothing new. They have been around in some form or another for a long time. Technology has changed but the general principle remains.
A classic example of this is the Aspidistra Intrusion Operation from World War 2. During air raids, allied forces mimicked the broadcasts from German radio transmitters. They would wait until the signal was turned off and then would broadcast their own content on the same frequency (often pro-allied propaganda or other fake content that was meant to demoralize the Germans). Because they were able to do this without being detected, it seemed as though these broadcasts were coming from official sources.
Modern-day MiTM attacks are not much different. Hackers intercept the signals we send out with our phones or over the internet. They then piggyback on the existing connection to retrieve information and insert their own commands while masquerading as the legitimate user.
Why is defending against MITM attacks so challenging?
Just like they were in World War 2, modern MiTM attacks are designed to be covert and transparent. Users are tricked into thinking that everything is no different than it was the last time. Except that this time something is different and they have no way of knowing.
That’s what makes MiTM attacks so dangerous. End users can go about their business for days or even weeks without noticing that something is wrong. During that time, it’s almost impossible to know what data could be exposed–passwords, account data, business email access and more.
Detecting MiTM attacks is virtually impossible and often requires advanced knowledge of internet or mobile communication protocol and security practices.
MITM attack vectors
Perhaps the biggest challenge with MiTM attacks is that they aren’t limited to a single point of failure or communication protocol. They can affect any kind of signal being broadcast. This means anything connected to WiFi, cellular networks, and even Bluetooth is vulnerable to attacks.
Let’s take a closer look at how these attacks work.
- LAN / WiFi – WiFi networks, especially open public WiFi networks, are common places for MiTM attacks to occur as they’re often not very secure (to say the least). When these attacks happen over WiFi, hackers intercept communications and trick your computer. They can make it think it’s connected to an open connection (although it’s not) or you can be fooled into visiting a fake website that looks like the one you wanted but isn’t.
There are a few ways hackers can set up a MiTM attack over WiFi. Hackers can create fake access points that look and act like real ones that unsuspecting end users log into. Cheap packet sniffers can be picked up from Amazon to monitor packets being sent to and from computers. Sniffers can be used to inject malicious packets into the communications, giving them the ability to redirect traffic or alter messages.
A notable recent example was a group of Russian hackers APT 29 (also known as Fancy Bear) that used a Wi-Fi spoofing device to attempt to hack into the network of the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague.
- Bluetooth – Attacks on Bluetooth technology put nearly every aspect of our lives at risk.
Bluetooth is being used just about everywhere these days. It’s in our speakers, phones, computers, and even our cars.
A recently discovered exploit in Bluetooth called Key Negotiation of Bluetooth (KNOB) makes MiTM attacks easy for hackers. Bluetooth allows users to choose the level of encryption they want to use, anywhere from a 1-byte key up to a 16-byte key, with 1 being the easiest to crack and 16 being virtually impossible. KNOB intercepts the encryption signal and forces it to change from a 16-byte key down to a 1-byte key. Once this happens it’s possible for malicious hackers to launch a brute force attack to gain access to the device.
Though this type of attack has yet to gain popularity with most hackers, there’s no doubt that elite hacker groups are experimenting with it.
- Cellular – With cellular-connected devices, MiTM attacks spoof cell towers with devices like Stingrays. The thing that makes these attacks particularly notable is that they rely on a technology that is also used by law enforcement in some jurisdictions.
These fake base station simulators essentially dupe mobile devices into thinking that they’re connected to a real cell tower. The reality is that the spoofing device allows the attacker to monitor all texts and phone calls your phone is making.
Stingray devices and cellular MiTM attacks are a popular tool in the hands of government-supported hacker groups and covert espionage operations. In February 2020, Ukrainian cyberwarfare experts reported that Russian forces may be using IMSI-catchers to broadcast SMS messages with pro-Russian propaganda. This is not the first time, either. Similar reports of fake cell towers as part of Russian cyber-warfare tactics have been circulating since 2017.
Preventing MiTM attacks – a layered approach
Considering the sheer volume of information that can be found on connected devices, especially those used for work as part of a bring your own device policy, or those connected to critical infrastructure platforms, preventing MiTM attacks is critical.
There are four key components to an efficient MiTM attack prevention strategy:
- Awareness & Education – Human error is responsible for a high percentage of cyberattacks like MiTM attacks. People unknowingly click a bad link or use their login data on a compromised site, giving hackers access to all their data. To avoid this, education is critical, especially in business. Ensuring that employees know the basic principles of preventing cyber attacks in general, and MiTM attack in specific can save a lot of time and money.
Simple things like instructing employees to avoid public wifi networks or teaching people what a phishing email looks like can go a long way in preventing these attacks. Holding regular security sessions to keep staff up to date on issues and requiring frequent password changes are just a few of the easy steps that you can take to stay safe from MiTM attacks.
- Encryption & VPNs – Using encryption on all devices that contain valuable information and using virtual private networks (VPNs) when connecting to public networks adds an extra layer of protection from MiTM attacks.
VPNs create a secure and encrypted channel for data that is transmitted over the internet from a device or a network. Used for many years, VPNs for remote workers act as protected pipelines for all data that passes through them, making them highly effective against MiTM attacks.
- Firmware & Software Update Policy – One of the ways MiTM hackers gain access to systems is by exploiting outdated software and firmware on the system. Having a policy in place that keeps these updated at all times helps seal potential points of MiTM access.Up-to-date systems have all the current security patches for known problems and make it harder for hackers to gain access. The same should be done for routers, IoT devices, and other hardware and software connected to your network. Even a single point of failure like a connected lightbulb with an outdated firmware version can put your entire network at risk.
- Cellular Connection Security – Keeping cellular-connected devices secure can be a challenge, especially with the sheer amount of change that happens in the industry regularly. With 5G technology gaining wider adoption, being able to protect against threats like Torpedo attacks and Stingray devices is critical. Using IMSI catcher protection reduces the risk across an entire organization by providing complete coverage for all connected devices, no matter what cellular network they connect to or where.
How does cellular network level protection work?
Be proactive, rather than reactive
The key to preventing MiTM attacks is to make sure that you have a comprehensive plan in place to seal off as many of the possible weak points as you can.
Staying ahead of an attack with a mix of education and proactive security policies can help ensure that your organization doesn’t have to deal with the fallout from an attack. This is essential in an age where even small data breaches come with huge fines of upwards of €10 million (bigger breaches are up to €20 million) – something that a lot of companies would struggle to recover from. Having a “wait and see” approach doesn’t work when your business goes under.
Protect people, IPs and devices from SS7 attacks with FirstPoint
FirstPoint provides unique network level protectionContact Us