In the current business landscape, where mobile devices are so prevalent, security depends heavily on wireless networks. Organizations must prioritize network security and secure device connectivity, as data in transit may be at significant risk of attack.
IT and security leaders aiming to mitigate the risks associated with wireless networks need to avoid and ward off wireless eavesdroppers — particularly from man-in-the-middle (MITM) attacks, which can enable malicious actors to monitor wireless communications or even modify them in real time.
Two types of man-in-the-middle attacks
Generally, MITM attacks fall into two categories: passive MITM, which is purely eavesdropping, and active MITM, a more advanced attack where someone can capture everything transmitted between two devices and change the data in transit.
IT managers should know that MITM attacks target more than just Wi-Fi networks. These breaches are also possible on cellular networks through the use of IMSI catchers. Administrators should be prepared with security measures for both Wi-Fi and cellular data connections on corporate mobile devices.
Turning industry knowledge upside-down
MITM attacks are a particular problem for IT managers. While any unencrypted communications can be intercepted and modified during an MITM attack, that’s just the start, as many basic assumptions about cryptography are often subverted in these cases.
Industry-standard tools, such as TLS/SSL cryptography, can be defeated or weakened. For example, an MITM attacker might engage in a downgraded MITM attack, where they change the client’s list of encryption algorithms to prefer weak algorithms or even the “NULL” algorithm during the connection for the TLS/SSL protocol, resulting in no encryption at all. If the server is willing to use the weaker algorithm, it may result in traffic that can be easily decrypted by the attacker. Since TLS/SSL underpins most internet cryptography (including SSL VPNs), this presents a major risk for enterprises.
Mitigating the risks
To counteract the risks posed by MITM attacks, consider the following three strategies for mitigating mobile security threats:
1. Employ encryption
A recent innovation called HTTP Strict Transport Security (HSTS) can help ensure that clients don’t even try to use unencrypted communications for enterprise websites. In extreme cases, IT managers with very low risk tolerance can use their mobile device management (MDM) tool to configure mobile devices to bring up a VPN tunnel and send all traffic, even noncorporate traffic, back to an enterprise data center or VPN provider. There is additional overhead to this approach, but it can bring additional security and resistance to MITM attacks.
2. Verify TLS/SSL setups
The internet adage of “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a solid first step is to disable older algorithms or weak encryption and authentication (such as NULL, RC4, 3DES, MD5 and SHA1) along with older versions of protocols, such as SSL and TLS versions prior to v1.2.
Mobile device management for beginners
Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now
IT managers who are using app delivery controllers (load balancers) have a centralized point for managing TLS/SSL settings and keeping cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, it’s more difficult to keep things synchronized and patched. The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers, and the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.
3. Manage enterprise-wide certificates
IT managers should ensure that only valid certificates and certification authorities (CAs) are used for enterprise applications. If a company uses a local CA, the certificate should be preloaded onto all devices using the company MDM tool. IT managers should review settings for certificate revocation, ensuring that online revocation protocols are still enabled. They should also consider adding certificate pinning, which reduces the possibility that a fake digital certificate can be used by an MITM attacker to access their applications and web services.
A final but critical action item here is ensuring that users are trained not to accept unrecognized certificates on their devices.