Last week’s dramatic rescue of 15 hostages held by the guerrilla organization FARC was the result of months of intricate deception on the part of the Colombian government. At the center was a classic man-in-the-middle attack.
In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they’re talking to each other, and the attacker can delete or modify the communications at will. The Wall Street Journal reported how this gambit played out in Colombia.
The plan had a chance of working because, for months, in an operation one army officer likened to a “broken telephone,” military intelligence had been able to convince Ms. Betancourt’s captor, Gerardo Aguilar, a guerrilla known as “Cesar,” that he was communicating with his top bosses in the guerrillas’ seven-man secretariat. Army intelligence convinced top guerrilla leaders that they were talking to Cesar. In reality, both were talking to army intelligence.
This ploy worked because Cesar and his guerrilla bosses didn’t know each other well. They didn’t recognize each others’ voices, and didn’t have a friendship or shared history that could have tipped them off about the ruse. Man-in-the-middle is defeated by context, and the FARC guerillas didn’t have any.
And that’s why man-in-the-middle, abbreviated MITM in the computer security community, is such a problem online: Internet communication is often stripped of any context. There’s no way to recognize someone’s face. There’s no way to recognize someone’s voice. When you receive an e-mail purporting to come from a person or organization, you have no idea who actually sent it. When you visit a website, you have no idea if you’re really visiting that website. We all like to pretend that we know who we’re communicating with — and for the most part, of course, there isn’t any attacker inserting himself into our communications — but in reality, we don’t. And there are lots of hacker tools that exploit this unjustified trust, and implement MITM attacks.
Even with context, it’s still possible for MITM to fool both sides — because electronic communications are often intermittent. Imagine that one of the FARC guerillas became suspicious about who he was talking to. So he asks a question about their shared history as a test: “What did we have for dinner that time last year?” or something like that. On the telephone, the attacker wouldn’t be able to answer quickly, so his ruse would be discovered. But e-mail conversation isn’t synchronous. The attacker could simply pass that question through to the other end of the communications, and when he got the answer back, he would be able to reply.
This is the way MITM attacks work against web-based financial systems. A bank demands authentication from the user: a password, a one-time code from a token or whatever. The attacker sitting in the middle receives the request from the bank and passes it to the user. The user responds to the attacker, who passes that response to the bank. Now the bank assumes it is talking to the legitimate user, and the attacker is free to send transactions directly to the bank. This kind of attack completely bypasses any two-factor authentication mechanisms, and is becoming a more popular identity theft tactic.
There are cryptographic solutions to MITM attacks, and there are secure web protocols that implement them. Many of them require shared secrets, though, making them only useful in situations where people already know and trust each other.
The NSA-designed STU-III and STE secure telephones solve the MITM problem by embedding the identity of each phone together with its key. (The NSA creates all keys and is trusted by everyone, so this works.) When two phones talk to each other securely, they exchange keys and display the other phone’s identity on a screen. Because the phone is in a secure location, the user now knows who he is talking to, and if the phone displays another organization — as it would if there were a MITM attack in progress — he should hang up.
Related Posts: On this day...
- Sesame Street: Share It Maybe - 2012
- Seattle cops forget semi-automatic rifle sitting on patrol car's trunk - 2011
- Colton Harris-Moore aka Barefoot Bandit has been CAUGHT! - 2010
- UK Officials: Dump Microsoft and Use Linux to Save Money - 2010
- The Actual Facts About The Mcdonalds' Coffee Case - 2009
- Find is a Beautiful Command-line Tool - 2008