Are "man in the middle" attacks extremely rare?

Question

In "Some thoughts on the iPhone contact list controversy and app security", cdixon blog

Chris Dixon makes a statement about web security

Many commentators have suggested that a primary security risk is the fact that the data is transmitted in plain text. Encrypting over the wire is always a good idea but in reality “man-in-the-middle” attacks are extremely rare. I would worry primarily about the far more common cases of 1) someone (insider or outsider) stealing in the company’s database, 2) a government subpoena for the company’s database. The best protection against these risks is encrypting the data in such a way that hackers and the company itself can’t unencrypt it (or to not send the data to the servers in the first place).

I am wondering if there is any cold, hard, real world data to back up that assertion -- are "man in the middle" attacks actually rare in the real world, based on gathered data from actual intrusions or security incidents?

If such data exist, wouldn't it probably be much higher dark figures? I can imagine that many companies would not report such attacks. — daramarak, Feb 22 '12 at 19:42
I recently asked a SO question related to this. http://stackoverflow.com/questions/8829507. I ended up setting up a SSL cert for the website in question to be on the safe side, but I had doubts as to whether it will ever prevent an attempted MIM attack. — jessegavin, Feb 22 '12 at 19:43
Didn't the Iran use MITM in combination with fraudulent certs to observe its peoble? — ordag, Feb 22 '12 at 19:57
@ordag - [Yes](https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack). "The [official report on the attacks from Fox-IT](http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html) includes data from DigiNotar that suggests that over 300,000 (primarily Iranian) Internet users may have been had their communications intercepted". — leedm777, Feb 22 '12 at 20:21
The original comment from Chris Dixon is confused. The big problem on the web today is eavesdropping not man-in-the-middle attacks. Said another way, the problem is that someone eavesdrops and figures out your Gmail/Hotmail/Yahoo! credentials then uses that to send spam behind your back not that they pretend to be Gmail/Hotmail/Yahoo! and you think you're sending an email but really you're typing your message on the attacker's server. — Dare Obasanjo, Feb 22 '12 at 20:34
See also [MITM attacks - how likely are they?](http://serverfault.com/q/152921) on [sf] — Gilles 'SO- stop being evil', Feb 22 '12 at 20:55
For what it's worth, my employer does a MITM attack on us. They use it in order to monitor our email and prevent us from sending attachments. — user606723, Feb 22 '12 at 22:04
It's common enough to be official government policy of the most populous country in the world ... — jupp0r, Feb 23 '12 at 08:57
The Danish single sign-on solution NemID with two-factor authentication for banks and public home pages has recently been compromised by attacks on two banks involving a non-trivial financial loss. The attack was basically a MITM attack where the unsupecting victim was tricked into authenticating against the hacker either via a phishing site or by being infected by malware. The hacker would in real time use the authentication information to access the bank account. — Martin Liversage, Feb 23 '12 at 09:36
It only takes once if it happens to you. These attacks tend to target specific targets rather than what ever is on the server. So the results tend to be more painful to the target(s) since there is usually a goal involved and a plan of attack. These plans are generally more intricate and harder to detect. And thus more dangerous. — Chad, Feb 23 '12 at 16:48
And even if it was extremely rare, that would just indicate that it was well-defended against, not that you don't have to worry about it. (Robberies may be rare in your neighborhood, but if you walk through the worst part of it at night fanning a stack of $100 bills, there will almost certainly be one more robbery than usual.) — David Schwartz, Feb 23 '12 at 20:27
As a percentage of the sum total of all interactions, attacks of *any* sort are extremely rare. As a percentage of attack against a given target... well that depends on the type of target. — tylerl, Feb 24 '12 at 06:08

score 105 · Answer 1 · edited Jun 16 '20 at 09:49

My favorite current resource for cold, hard, real world data is the Verizon 2011 Data Breach Investigations Report. An excerpt from page 69 of the report:

Actions

The top three threat action categories were Hacking, Malware, and Social. The most common types of hacking actions used were the use of stolen login credentials, exploiting backdoors, and man-in-the-middle attacks.

From reading that, I infer that it's a secondary action used once somebody has a foothold in the system, but the Dutch High Tech Crime Unit's data says it's quite credible for concern. Of the 32 data breaches that made up their statistics, 15 involved MITM actions.

Definitely don't stop there, though. That entire report is a gold mine of reading and the best piece of work that I've come across for demonstrating where threats are really at.

For fuzzier references to MiTM attacks and methods, see also this excellent answer to MITM attacks - how likely are they? on Serverfault.

I would go further in saying that any instance of a SSL root coughing up a bad cert is a sign of an attack, otherwise they'd be pretty useless compromises. Finally, because I'm that guy, I would definitely try to splice into your network box outside the building if I were doing your pentest. One can do amazing things with a software radio even on a wired connection.

Is there any way of detecting this attack? I have reason for concern with this so a semi-foolproof way for detecting this kind of breach would be very useful. — TigerCoding, Feb 23 '12 at 11:52
@Javy That's more than I can say in a comment. I suggest starting a new question: "Can I detect a MITM attack?" The brief answer is "sometimes with effort." — Jeff Ferland, Feb 23 '12 at 12:01

score 29 · Answer 2 · edited Jan 21 '13 at 15:23

The simple answer is no - there is a wide variety of evidence that this type of attack is common.

Some of the controls brought in by banks (two factor authentication etc) were in part required to combat the ever more common MITM attacks on customers.

While there are other forms of attack (compromise of client is a good one) which may now be easier to carry out through the use of malware to place a trojan on the client PC, MITM is still relatively easy in most cases.

The core fact to remember is that criminals tend to work on a good return on investment. The ROI for an attacker is very good:

low risk of being caught
low physical risk
some effort in coding the exploit can lead to real world monetary gain
the code can then be reused or sold to other criminals

As @CanBerk said, we aren't ever going to get any 'completely secure' protocols, but making life harder for criminals is a partial solution. MITM will not go away until it is made too difficult to be profitable.

BlueRaja - Danny Pflughoeft · Answer 3 · 2012-02-23T23:43:07.833

The recent compromise of certificate authority DigiNotar resulted in the issuance of over 500 fake certificates for google.com, microsoft.com, cia.gov, and hundreds of other sites. These certificates somehow made their way into 40 different Iranian ISPs, resulting in a massive man-in-the-middle attack, confirmed to have affected over 300,000 Iranian users over the course of several months.

The hacker(s) responsible - confirmed to be the same one(s) responsible for the prior attack on the CA Comodo - claims to have full access to five other CA's, though he (they) only named one of them.

So yes, Man-in-the-middle attacks are a very real threat, even today.

Note: To prevent these sort of attacks from happening to you, consider using a program/addon to track certificates for suspicious changes, like Certificate Patrol, or try one of the fancy new replacements for the certificate-authority model that everyone is talking about.

score 8 · Answer 4 · edited May 19 '12 at 01:18

This answer is mostly about Chris Dixon's statement more than answering "How many attacks are coming from MiTM".

If we assert the different way one could possibly become MiTM and the given consequences I think we can make up some conclusions of whether or not we care how prevalent MiTM attacks is.

If we look at some risks for the different situations we could have something like:

Someone stealing the database via exploiting the web application itself?
Someone attacking user/admin via MiTM attack

I would say the first has a much bigger impact (generally) and should in many ways be mitigated the most and treated the first.

So for point 2 to prevail over point 1 I think that MiTM would really have to be crazy wild for us to value it as high as a security obstacle as point 1 (As Chris denotes in the quote)!

Now if we see at the different attack vectors. First for MiTM. To become MiTM one could for example:

Own a rogue wireless access point. This is trivial, but for a targeted attack you would have to be in the same physical location of the victim using your webapp.
Sniff unencrypted wireless data or data coming through a HUB (they even exist anymore?)
Use ARP Poisoning to attack the users. Not trivial unless you are on the same network as the targeted users using your webapp.
DNS Cache Poisoning. For this to work you need to poison the DNS being used by the targeted users. If the DNS is not properly set-up this attack becomes somewhat trivial to perform, however there is a lot to rely on for this to work.
Phishing attacks. These still fool the unsuspecting and naive users, however a lot of the responsibility lies on the user.

All this for just attack one or a small subset of users. Even then, attacking these users will give them a warning in their browsers (there is ways to attack this as well, but I am not taking that up here). Only by compromising a root CA or by finding a flaw in the algorithm used to generate the certificates would you be allowed to pose as a trusted certificate issuer.

If we on the other hand look at all the potential nasty stuff that we can see if we don't invest in enough security of the webapp itself we see attack vectors like:

SQL Injection - trivial and easy to both exploit and discover. Very high damage impact.
XSS (Cross Site Scripting) - easy to discover, harder to exploit. I think we will see higher and higher user impact from this in the future. I foresee this is becoming the "new SQL Injection" trend that we have been seeing back in the days.
CSRF (Cross Site Request Forgery) - Moderate to discover, moderate to exploit. This would require users navigating to an already owned site, triggering a request to your webapp which would do a transaction on the behalf of the user.

So by just mentioning these few, but popular methods for both attacking webapp and becoming MiTM I would leave it up to a specific risk/consequence analysis of the specific given organization you are trying to secure, whether or not you should defend your users directly by implementing SSL or by defending the webapp as a whole (which also include intellectual property, user data, sensitive data, potential data that could breach other applications, and so on).

So in my humble opinion I very much agree with Chris Dixon's statement. Prioritize securing the webapp as much as you can before you start thinking of securing the transport layer.

Edit: On a side note: Pages like Facebook, Gmail and others were under heavy MiTM attacks during the wake of Firesheep. This could only be mitigated through SSL and awareness.

However if you think about it, sniffing wireless traffic with Firesheep and hijacking the sessions would require the wireless LAN you are connected to to not have any encryption.

When I go war-driving today it has dramatically decreased the number of open wireless AP's and also in the number of WEP enabled AP's. We keep seeing more and more WPA2 encrypted AP's which in most cases provide us with enough security.

Now what is the risk of someone creating a easy and convenient tool for sniffing and hijacking your users sessions? What is the impact for those users? It also could be mitigated in different ways (re-authenticating the user when coming from different footprints at the same time, notifying the user when something looks wrong (gmail is a good example of this)).

Yes, hubs exist, though I haven't seen them on typical networks yet. Imagine a testing lab where most of the users are blasé about security, administrators are blasé about web apps requiring that passwords or cookies be sent in the clear, hubs abound (for sniffing phones during testing—easier to set up than a switch with a mirror port), half the computers have two NICs, there's a publicly accessible patch panel, the lab is located in a shared building, and there are few access controls at the entrance. True story. I'd imagine there would be similar environments elsewhere. — pilona, Oct 16 '13 at 23:31

score 2 · Answer 5 · answered Feb 22 '12 at 21:10

It did not find any static or white paper that includes the real world data you wanted to have.

However, I would like to add that MitM attacks within companies happens daily and more than once. Several security vendors have solutions to scan encrypted traffic (for example, Palo Alto Networks) and at least the company I currently work for has activated this feature.

To do this, the firewall/proxy device is simply granted a certificate from internal Certificate Authority (CA) which is already trusted by all clients. When an application asks for a secure connection, the firewall/proxy device generates a new certificate for the target server on the fly and sent it to the client. Since the client trusts the internal CA, it also trusts the device certificate and will happily start a "secure" connection.

while that is man in the middle - it's a wee bit of a stretch to call it an attack... — Rory Alsop, Feb 22 '12 at 21:32
I guess this depends on your point of view. As they see data they are not supposed to, I would qualify this as an attack. But you are right, from the administrators view this is can help ensuring network security and thus is not qualified as an "attack". — Tex Hex, Feb 23 '12 at 20:12

score 1 · Answer 6 · answered Feb 22 '12 at 20:06

I agree with daramarak that it'd be quite hard to find real world data on MitM attacks. One reason for that is, MitM attacks are by nature usually targeted at individuals, whereas attacks like DDoS or SQL injection are usually targeted at companies, organizations, etc.

Therefore, while we see a DDoS/injection/whatever report almost every day, information regarding MitM attacks are usually academic (e.g. "Twitter was DDoS'd!" vs. "SSL is vulnerable to MitM")

However, it should be noted that "rare" does not necessarily mean "hard." Most MitM attacks are arguably much easier to pull than most other types of attacks, and many protocols we use everyday are vulnerable to such attacks in one way or another, simply because it's quite hard to devise a protocol that's completely secure against MitM. This is in fact the case for most security problems, most solutions are "best effort" as opposed to "completely and absolutely secure."

Therefore, I think the main reason that MitM attacks are less common is that usually there's no need/incentive to perform one.

score 0 · Answer 7 · edited Feb 25 '12 at 17:52

0

I'm pretty sure sniffing passwords on wireless networks is extremely commonplace. Just look at how many tutorials there are for it on the web from a simple Google Search or Bing search.

edited Feb 25 '12 at 17:52

Hendrik Brummermann

27,118
6
79
121

answered Feb 22 '12 at 19:43

Dare Obasanjo

109

4

Sniffing doesnt necessarily require MitM attacks. However intercepting SSL traffic does. I think jeff is more concerned with the later – tzenes Feb 22 '12 at 20:03
4

The problem is with codinghorror's question in the first place. Encrypting data via SSL is a good way to prevent eavesdropping which is a problem. A man-in-the-middle attack is an overly sophisticated attack whereas someone sniffing your email/Facebook/Twitter password over wi-fi is an attack that can be done by anyone with minimal technical skills with a off-the-shelf software. – Dare Obasanjo Feb 22 '12 at 20:19
2

I guess I don't see that as a problem with his question as much as a different question. – tzenes Feb 22 '12 at 20:50
Dare Obasanjo is addressing an issue brought up by Chris Dixon in the quote and not necessarily the question Jeff is asking. Chris Dixon is implying that being able to view clear text data as it goes between the source and destination is a MitM. I think a general word association (well... for me anyway) of a MitM attack is when someone intercepts and `alters` the data between source and destination. His implication is that viewing it is enough to be considered an attack. So if your ISP does any sort of packet inspection.. I guess he would consider that an attack. – Safado Feb 22 '12 at 21:06

score -1 · Answer 8 · answered Feb 22 '12 at 19:43

Well I guess if they were rare, nobody would compromise a CA, however we've seen a number of attempts and a few successes at this (suspects including Iran).

So I presume it has and will be done. Otherwise why would they bother compromising a CA. That's not the easiest task in the world. Why not directly attack your target?

That said, they may be rare. Anyone who compromises a CA is likely good enough to cover enough of their tracks so that we don't know the extent of their work. Truthfully I wouldn't put it past the US Government to have done the same thing domestically as well as overseas. I'd actually be surprised if they haven't. Supporting this is I can't recall ever reading that HTTPS got in the US Governments way. I do hear it periodically regarding Skype encryption, TrueCrypt or PGP disk encryption.

Funny how the OP asks for **cold, hard, real world data** and you start with *Well I guess*... — Konerak, Feb 22 '12 at 20:52

Are "man in the middle" attacks extremely rare?

8 Answers8

Linked