In the current business landscape, where mobile devices are so prevalent, security depends heavily on wireless networks. Organizations must prioritize network security and secure device connectivity, as data in transit may be at significant risk of attack.

IT and security leaders aiming to mitigate the risks associated with wireless networks need to avoid and ward off wireless eavesdroppers — particularly from man-in-the-middle (MITM) attacks, which can enable malicious actors to monitor wireless communications or even modify them in real time.

Two types of man-in-the-middle attacks

Generally, MITM attacks fall into two categories: passive MITM, which is purely eavesdropping, and active MITM, a more advanced attack where someone can capture everything transmitted between two devices and change the data in transit.

IT managers should know that MITM attacks target more than just Wi-Fi networks. These breaches are also possible on cellular networks through the use of IMSI catchers. Administrators should be prepared with security measures for both Wi-Fi and cellular data connections on corporate mobile devices.

Turning industry knowledge upside-down

MITM attacks are a particular problem for IT managers. While any unencrypted communications can be intercepted and modified during an MITM attack, that’s just the start, as many basic assumptions about cryptography are often subverted in these cases.

Shop special offers

Find out about offers on the latest Samsung technology.

see deals

Speak to a solutions expert

Get expert advice from a solutions consultant.

Talk to an expert

Industry-standard tools, such as TLS/SSL cryptography, can be defeated or weakened. For example, an MITM attacker might engage in a downgraded MITM attack, where they change the client’s list of encryption algorithms to prefer weak algorithms or even the “NULL” algorithm during the connection for the TLS/SSL protocol, resulting in no encryption at all. If the server is willing to use the weaker algorithm, it may result in traffic that can be easily decrypted by the attacker. Since TLS/SSL underpins most internet cryptography (including SSL VPNs), this presents a major risk for enterprises.

Mitigating the risks

To counteract the risks posed by MITM attacks, consider the following three strategies for mitigating mobile security threats:

1. Employ encryption

At a minimum, every enterprise application should be encrypted, including web, email and voice traffic — not just sensitive communications. Why everything? Because if an active MITM attacker can intercept unencrypted, “unimportant” communications, they can insert data, too. For instance, attackers could change domain name system (DNS) responses to send users to an impersonating server, deliver malware to users’ mobile devices or even inject Javascript that steals cookies.

A recent innovation called HTTP Strict Transport Security (HSTS) can help ensure that clients don’t even try to use unencrypted communications for enterprise websites. In extreme cases, IT managers with very low risk tolerance can use their mobile device management (MDM) tool to configure mobile devices to bring up a VPN tunnel and send all traffic, even noncorporate traffic, back to an enterprise data center or VPN provider. There is additional overhead to this approach, but it can bring additional security and resistance to MITM attacks.

2. Verify TLS/SSL setups

The internet adage of “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a solid first step is to disable older algorithms or weak encryption and authentication (such as NULL, RC4, 3DES, MD5 and SHA1) along with older versions of protocols, such as SSL and TLS versions prior to v1.2.

Mobile device management for beginners

icon of a document
White Paper

Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now

IT managers who are using app delivery controllers (load balancers) have a centralized point for managing TLS/SSL settings and keeping cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, it’s more difficult to keep things synchronized and patched. The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers, and the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.

3. Manage enterprise-wide certificates

IT managers should ensure that only valid certificates and certification authorities (CAs) are used for enterprise applications. If a company uses a local CA, the certificate should be preloaded onto all devices using the company MDM tool. IT managers should review settings for certificate revocation, ensuring that online revocation protocols are still enabled. They should also consider adding certificate pinning, which reduces the possibility that a fake digital certificate can be used by an MITM attacker to access their applications and web services.

A final but critical action item here is ensuring that users are trained not to accept unrecognized certificates on their devices.

Learn the best practices for thwarting mobile security breaches and responding when they occur in this free white paper, and discover the most secure biometric authentication method.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder