The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on May 29, 2014

With Heartbleed as a wake up, what is a Man-in-the-Middle (MITM) attack?

With Heartbleed as a wake up, what is a Man-in-the-Middle (MITM) attack?
Zuk Avraham
Story by

Zuk Avraham

Zuk Avraham is a world-renowned security researcher and the founder/CEO of Zimperium. Before Zimperium, Zuk served as a security researcher Zuk Avraham is a world-renowned security researcher and the founder/CEO of Zimperium. Before Zimperium, Zuk served as a security researcher in the IDF and a white hat hacker at Samsung.

Zuk Avraham is the CEO and founder of Zimperium.

You grab your coffee, connect to the coffee shop’s Wi-Fi and begin working. You’ve done this a hundred times before. Nothing seems out of the ordinary, but someone is watching you. They’re monitoring your Web activity, logging your bank credentials, home address, personal email and contacts – and you won’t know it until it’s too late.

Today’s thief won’t steal your wallet out of your back pocket on the subway, but instead will use an arsenal of cyber-attack methods to secretly pry your information from you. While you’re checking your account information at your nearby coffee shop, a hacker will intercept the communication between your computer and the Wi-Fi network’s router, tracking your every move.

This method is known as a “man-in-the-middle” (MITM) attack and it’s just one of many weapons cyber-thieves use to steal from you.

The rise of data-stealing attacks

Many cyber-attacks are the result of thieves taking advantage of vulnerabilities that allow them to see your data in clear text. Even companies that millions of people trust to keep their personal information safe are vulnerable.

Just last March, Fandango’s and Credit Karma’s vulnerabilities to MITM were exposed as attackers were able to take users’ credit card details, social security numbers, home addresses, phone numbers, credit scores and more. 

Apple’s recent “Gotofail” and Android’s VPN flaw reminded us that even the major operating systems make mistakes that put you at risk, as iOS and Android failures allowed attackers to steal both users’ encrypted and unencrypted communications.


The recent “Heartbleed” bug is probably the most discussed OpenSSL vulnerability to date. The news exposed that attackers are capable of leaking up to 64 kilobytes of memory at a time from servers running OpenSSL, exposing private information like passwords, credit card information and the server’s private key.

With the Heartbleed bug, as much as 66 percent of internet sites were affected, including many of the most popular 10,000 sites (Yahoo, Flickr, Pinterest and more). This bug makes MITM attacks far more dangerous. An attacker can chain a MITM attack with a stolen certificate to steal valuable data, even when HTTPS is on (and users think their traffic is secure) – leaving you with absolutely no protection.

Beyond Heartbleed: Other methods of attack

Although high-profile vulnerabilities such as OpenSSL’s Heartbleed and Apple’s Gotofail made it easier for attackers to steal confidential data, most of the time, advanced hackers will choose other, more commonly available techniques.

For example, some cyber-thieves will remove your data encryption through SSL stripping, which replaces all secure “HTTPS” mentions with the insecure “HTTP.” Others may try injecting a client-side vulnerability, where hackers infiltrate your device through your browser. In both scenarios, once an attacker exploits this vulnerability, they can see everything you send between your device and the intended recipient, including usernames and passwords.

Even after vulnerabilities like Heartbleed have been patched, the MITM threat will remain due to the fundamental nature of how these operating systems work. This is because techniques mimic normal network protocols, so if the operating system vendor tried to prevent MITM attacks, they’d break the way devices connect to legitimate networks – making the problem even worse.

Don’t kill the messenger, but I’m sorry to tell you: all IP-based devices are fundamentally vulnerable to MITM techniques.

A new industry: Advanced mobile attack protection

With the number of mobile devices set to exceed the number of people on Earth by the end of the year, it’s clear that mobile is the next frontier for cyber-attacks.

In addition to the number of devices, employees’ mobile work consumption outside enterprises’ private security networks is expected to explode by 2017, as a report by Juniper estimates that 60 percent of all mobile data traffic is to be offloaded onto public networks. This shift to mobile and rise of public, unsecured networks will contribute to a significant increase in the number of MITM attacks.

As a result, many people are turning to a familiar solution by installing antivirus (AV) apps to protect their mobile devices, but AV is not suited for a mobile architecture.  These solutions cannot monitor a device’s activities without root access to the device operating system.

Also, traditional PC security approaches will have unwanted impacts on the mobile device: slowing down the operating system, draining the battery and using extensive memory space. In addition, AV does not have the ability to detect network-scans and attacks such as MITM, but instead looks for signatures for known malware.

In order to solve this problem, you will not be able to reuse an old approach on a new problem – it requires a new and better mousetrap.

How to protect yourself from MITM

Children Interacting With Tablet Technology

Both individuals and organizations can take various steps to secure their devices and networks. Surprisingly, many of the largest websites are just now beginning to encrypt their services.

Assume a hacker can spy on your account information anytime a site’s URL reads “HTTP” rather than “HTTPS.” If a site isn’t encrypted, take matters into your own hands to enable the protocol manually by typing the complete address including “HTTPS,” especially when you’re filling out a form.

This will not protect you from advanced attacks involving client-side vulnerabilities, but at least less-sophisticated hackers will not intercept your personal information. Some commonly used services do not enforce SSL by default, which allows hackers to completely take over the account.

Enabling a virtual private network (VPN) is another solution that can help in some cases. This extends a private network across a public network to encrypt your entire traffic.

However, this approach has some limitations. Since a VPN is created by establishing a “secure tunnel” (meaning an encrypted connection between a VPN client and a VPN server), this type of solution won’t protect a mobile device on a public Wi-Fi network, such as a hotel or airport, where you accept terms of service to use the network until you are connected and the tunnel is established.

In order to provide the best protection for sensitive data, organizations and individuals should invest in a comprehensive mobile security solution. While many have implemented security for traditional PCs while the device is on the corporate network, these organizations should opt for endpoint protection built specifically for mobile devices that protects devices from the various uncontrolled networks they encounter, without compromising the user’s experience on the device.

But beware, the mobile security space is a noisy one. While many companies claim to offer mobile protection, very few can actually protect your bank accounts and personal data from network and on-device attacks.

The most popular mobile antivirus apps won’t protect you even from the most amateur threats. So until our workplaces and favorite websites shift their approach to mobile security and take the necessary steps to secure their networks, it’s up to each of us to protect ourselves from the hacker sitting next to us at our favorite coffee shop, sipping a macchiato and stealing our data.