In today’s enterprise where mobile devices such as smartphones and tablets are so prevalent, security depends heavily on wireless networks. This means organizations should consider network security and secure device connectivity a priority, since data in transit can be at significant risk of attack.
IT and security leaders who want to mitigate the risks of wireless networks need to take special care to avoid wireless eavesdroppers, particularly from man-in-the-middle (MITM) attacks. These attacks occur when someone is able to monitor wireless communications and may also attempt to modify them in real-time.
Two Types of Man-in-the-Middle Attacks
Generally, MITM attacks fall into two categories. Purely eavesdropping is called a “passive MITM.” The more advanced configuration is the “active MITM,” where someone can capture everything that transmits between two devices, and even modify the data in transit.
While some IT managers might think that MITM attacks only target Wi-Fi networks, they should be aware that these breaches are also possible on cellular networks through the use of IMSI catchers. Therefore, administrators should have security measures for both Wi-Fi and cellular data connections on corporate mobile devices.
Turning Industry Knowledge Upside-Down
MITM attacks are particular problems for IT managers. Obviously, any unencrypted communications can be intercepted and even modified. But that’s just the start. With a MITM attack, many basic assumptions about cryptography are turned upside down.
Industry-standard tools such as TLS/SSL cryptography can be defeated or weakened. For example, a MITM attacker can engage in a downgraded MITM attack. With this type of MITM, during the connection for the TLS/SSL protocol, the attacker changes the list of encryption algorithms offered by the client to prefer weak algorithms, or even the “NULL” algorithm, which results in no encryption at all. This reduces the amount of security needed to access files or programs.
If the server is willing to use the weaker algorithm, then the result may be traffic that is easily decrypted by the attacker. Since TLS/SSL underpins most internet cryptography (including SSL VPNs), this presents a major risk for enterprises.
Mitigating the Risks
Even with the concerns posed by MITM attacks, here are three strategies can help mitigate mobile security threats:
In extreme cases, IT managers with a very low tolerance for risk can use their mobile device management (MDM) tool to configure mobile devices to bring up a VPN tunnel and send all traffic, even non-corporate traffic, back to an enterprise data center or VPN provider. There is additional overhead, but this also brings additional security and resistance to MITM attacks.
2. Verify TLS/SSL Setups. The internet adage of “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a first step is to disable older algorithms or weak for encryption and authentication — such as NULL, RC4, 3DES, MD5 and SHA1 — along with older versions of protocols, such as SSL and TLS versions prior to v1.2.
IT managers who are using application delivery controllers (load balancers) have a centralized point to manage TLS/SSL settings and keep cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, this complicates things and makes it more difficult to keep things synchronized and patched.
The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers; the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.
3. Manage Enterprise-Wide Certificates. IT managers should ensure that only valid certificates and certification authorities are used with enterprise applications. If a local certification authority is used within a company, then the Certification Authority (CA) certificate should be pre-loaded onto all devices using the organization’s MDM tool.
IT managers should review settings for certificate revocation, ensuring that online revocation protocols are still enabled. They should also investigate adding certificate pinning, which reduces the possibility that a fake digital certificate can be used by a MITM attacker to access their applications and web services.
A final action item here is user training: Ensuring that users know that they should never accept an unrecognized certificate on their mobile — or any other device.
By following good network security principles, IT managers can both mitigate many of the risks of MITM attacks and, at the same time, increase overall security in all internet-connected environments.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.