What is a Man in the Middle Attack?

2 November 2015

Dave Piscitello

In addition to the U.N. six languages, this content is also available in


Many years ago, your local telephone service may have been shared among you and many of your neighbors in what was called a party line. This shared configuration had two characteristics. If you wanted to place a call, you had to wait until the circuit was idle, i.e., all the other parties on the shared circuit weren’t also trying to place calls. More disturbing, however, was that other parties on the shared circuit could listen in on, join in (welcomed or not), or disrupt any conversation.

Ethernet and WiFi share these same characteristics, and an important reason why everyone is encouraged to use encryption is to prevent the forms of eavesdropping common to shared media or party lines.

Eavesdropping is one of several kinds of attacks we call man in the middle attacks. Each man in the middle or MITM attacks involves an attacker (or a device) that can intercept or alter communications between two parties who typically are unaware that the attacker is present in their communications or transactions. Let’s look at two examples of Internet MITM attacks.

The first is called an Evil Twin Access Point attack. When you attempt to connect to a wireless network, your Wi-Fi devices will try to “associate” with a nearby access point (AP). Attackers can use software to turn an ordinary laptop into an access point, and then will use the name of an access point you may recognize or trust so that you or your device will connect to this “evil twin” rather than the “good one” (Original series Star Trek fans will recall the episode “Mirror, Mirror”. Once your device connects to the evil twin AP, the attacker can intercept your company login or credit card information, and he may connect you to the site you intended to visit to perpetuate the deception. The attacker may redirect you to fake web sites, mail servers or other sites where you might unsuspectingly enter personal information or download additional malicious software. (Note: Lisa Phifer offers two excellent technical articles on evil twin AP attacks here.)

The other is called a Man-in-the-browser attack (MiTB). Imagine all the mischief an attacker might make if he could sit “inside” your browser and read or modify what you type or what a website sends to you. Sadly, attackers have gone beyond imagining such scenarios. MiTB attacks make use of a proxy Trojan horse, software that inserts itself between your browser and a web server, typically during a financial transaction or an e-merchant purchase. The attacker can use the proxy Trojan, which is a keylogger, rootkit, a malicious browser helper object or a plug-in, to steal your banking credentials, alter amounts of transactions, or make additional transactions, often during your banking or merchant session.   

Encryption or antivirus software can help, but your best defense against evil twin APs is to exercise caution when connecting to free or unsecured WiFi networks. To protect against MiTB attacks, consider using an anti-keylogger or rootkit detection software, but keep in mind that such malware are commonly delivered via phishing emails or drive-by downloads from sketchy or compromised web sites, so stop and think before you visit sites or open hyperlinks in email messages.

Dave Piscitello