Mobile devices, such as smartphones and tablets, depend heavily on wireless networks. When evaluating mobile security threats, one of the key places to look is the network — what goes between the device and the application. IT and security leaders aiming to mitigate the risks associated with wireless networks need to avoid wireless eavesdroppers — particularly from man-in-the-middle (MITM) attacks, which can enable malicious actors to monitor wireless communications or even modify them in real time.
Two types of man-in-the-middle attacks
MITM attacks occur when someone can both eavesdrop on wireless communications and also modify the communications on the fly. A pure eavesdropping attack, sometimes called “passive MITM,” is fairly easy to mitigate: Use encryption for all communications, no matter where. That doesn’t get you 100 percent mitigation, but close enough for most enterprises.
More insidious is the active MITM, where someone can capture everything that goes between two devices and even modify the traffic as it goes by. A person or, more precisely, a computer, is in the middle between the user’s device and the application — hence the term, “man in the middle.”
Some IT managers assume MITM attacks only occur on Wi-Fi networks, not cellular. That’s incorrect: MITM attacks are commonly found on cellular networks, as well. IT managers must not treat the carrier’s wireless network as being more trustworthy than Wi-Fi networks.
Turning industry knowledge upside down
MITM attacks are particular problems for IT managers. Obviously, any unencrypted communications can be intercepted and even modified. But that’s just the start. With an MITM attack, many of the basic assumptions we have about cryptography are turned upside down.
Tools such as TLS/SSL cryptography can be defeated or weakened. For example, an MITM attacker can engage in a downgrade MITM attack. With this type of MITM, during the initial handshake for the TLS/SSL protocol, the attacker changes the list of encryption algorithms offered by the client to prefer weak algorithms or even the “NULL” algorithm, which results in no encryption at all. If the server is willing to use the weaker algorithm, then the result may be traffic that is easily decrypted by the attacker. Since TLS/SSL underpins most internet cryptography (including SSL VPNs), any weakness can be a major risk.
Mitigating the risks
To counteract the risks posed by MITM attacks, consider the following three strategies for mitigating mobile security threats:
1. Employ encryption
IT managers should be encrypting all communications, not just sensitive ones. At a minimum, that means that any and every enterprise application, including web, email and voice traffic, should be encrypted. Why everything? Because if an active MITM attacker can intercept unencrypted “unimportant” communications, they can insert data as well — changing domain name system (DNS) responses to send the user to an impersonating server, deliver malware to users’ mobile devices or even inject Javascript that steals cookies. HTTP Strict Transport Security (HSTS) can help to ensure that clients don’t even try to use unencrypted communications to enterprise websites, adding another layer of defense against MITM attacks.
IT managers with very low risk tolerance can use their mobile device management (MDM) tool to configure mobile devices to bring up a VPN tunnel and send all traffic, even noncorporate traffic, back to an enterprise data center or VPN provider. There is additional overhead to this approach, but it can bring additional security and resistance to MITM attacks.
2. Verify TLS/SSL setup
IT managers should verify TLS/SSL configurations carefully. The internet adage “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a first step is to disable older algorithms or weak encryption and authentication, such as NULL, RC4, 3DES, MD5, and SHA1, along with older versions of protocols, such as SSL and TLS versions prior to v1.2.
Mobile device management for beginners
Get started with MDM so your organization can spend less and do more — securely and efficiently. Read the guide
IT managers who are using application delivery controllers (load balancers) have a centralized point to manage TLS/SSL settings and keep cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, this complicates things and makes it more difficult to keep things synchronized and patched. The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers, and the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.
3. Manage enterprise-wide certificate authorities and certificates
IT managers should ensure that only valid certificates and certification authorities (CAs) are used for enterprise applications. If a company uses a local CA, the certificate should be preloaded onto all devices using the company MDM tool. IT managers should check settings for certificate revocation to ensure that online revocation protocols are still enabled. And IT managers should implement the new Certificate Transparency and Certificate Authority Authorization mechanisms to reduce the possibility that a fake digital certificate can be used by an MITM attacker.
As part of reviewing how certificates are used, IT managers should also confirm that users are trained to never, ever, accept an unrecognized certificate on their mobile or any other device.
MITM attacks are relatively rare but can be potentially disastrous. By following good network security principles, IT managers can both mitigate many of the risks of MITM attacks and, at the same time, increase overall security in all connected environments.
Learn the best practices for thwarting mobile security breaches and responding when they occur in this free white paper, and learn how Samsung Knox secures your mobile devices from the chip up to protect against cyberattacks.