man-in-the-middle-attack
An illustration of a Man-in-the-Middle attack. Courtesy of X Services

Sitting at home drinking a cup of coffee on a crisp late-November morning, a man opens his Web browser. He surfs the Web for a few minutes, reading news stories and checking out Facebook. He does some online banking as usual, transferring some funds to and from different accounts, paying credit card and utility bills. Sipping his now lukewarm coffee, the man logs off and closes his laptop, none the wiser to the Man-in-the-Middle attack that just hit him.

Man-in-the-Middle attacks are not a new threat, but Renesys, an Internet data analytics group, recently published a report noting an “uptick in route hijacking with traffic redirection,” dubbing it “the new threat.” Here’s how it works. When someone opens a webpage, data is sent from the ISP’s server to the website’s host server and back, calling up the website for view. An MITM attack interposes a third computer in between the ISP’s server and the website’s host server, filtering the information between the two.

The MITM computer can do a number of things with this information. It can just skim the info, reading and downloading the data for intelligence collection. It can hijack the traffic and send it across the earth to another computer in Moscow or Belarus (as indicated in Renesys’ report) before sending it back. It can interrupt the traffic and replace the requested website with one of its own liking; the implications of this can be minor or great -- varying from redirecting the user to an advertisement site to redirecting him to a false bank site, one made to look identical to the requested bank site. Or it can just steal seemingly secure data, allowing the hijacker to commit identity theft.

And we all know what these hackers look like: Donning stark white Guy Fawkes masks and spouting out Anonymous rhetoric and hyperbole, they claim to believe in freedom of information and they did it for the LOLs. But they may not be the ones to really worry about. The National Security Agency also has been using MITM attacks to monitor citizens and foreign interests alike.

In early September it was reported that Brazil’s President Dilma Rousseff had been targeted by the NSA, something she nor the Brazilian government were pleased about. In October, it was revealed the NSA was MITM-ing anonymous users of the TOR network as well. Utilizing a security flaw in Mozilla’s Firefox, the NSA was able to infect TOR users through a system called FoxAcid, allowing for eavesdropping on the “anonymous” user. All of this was possible through sophisticated MITM attacks and partnerships with telecom companies.

While partnerships with companies like Verizon have been documented, the NSA and the UK’s equivalent GCHQ are even using MITM attacks against huge companies like Google, “the French Ministry of Foreign Affairs and SWIFT, a financial cooperative that connects thousands of banks and is supposed to help ‘securely’ facilitate banking transactions made between more than 200 countries,” according to Renesys.

The simple solution to blocking these Man-in-the-Middle attacks is through cryptographic protocols like Transport Layer Security and Secure Sockets Layer. TLS and SSL have become ubiquitous protocols throughout the Internet in the form of the "https" website prefix. But most public websites forgo the extra security due to licensing fees and longer download times as all files are encrypted though the TLS/SSL protocol, and both protocols are not universally browser-supported. While login info at most bank sites are secured "https" sites, some home pages are still unsecured "http" addresses.

However, methods like FoxAcid circumvent the TLS/SSL protocols and allow the NSA and others to keep collecting information from within the shadows. However, according to the Renesys report, there is one sure fire way of knowing about these attacks. More transparency. According to the report, “you cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception.” It says these attacks are still happening because most perpetrators believe that MITM attacks are not being looked for, and right now that’s true.

While speculations about the danger of MITM attacks vary wildly, this particular issue isn’t going away anytime soon. Renesys states fairly clearly that Man-in-the-Middle attacks have “now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real,” leading to the potential for much, much worse.