A Case Study of TLS Man-in-the-middle Attack
Yufang J.
Last updated
Was this helpful?
Yufang J.
Last updated
Was this helpful?
TLS, transport layer security, is widely used in confidential data transmissions. Because of its frequent use and high data sensitivity related to it, hackers love to hack TLS connections. The feature of TLS is that it uses asymmetric encryption. Specifically, TLS uses PKI, public key infrastructure, to manage certificates, so these certificates can be used to verity authenticity of two parties’ in a connection. Because of the important roles that these certificates play, it’s common that hackers launch attacks to TLS connections by forging certificates to pretend to be some website to fool browser users. This attack is also called TLS man-in-the-middle attack.
In 2014, Adrienne Porter Felt reported that in-flight internet connectivity company Gogo issued Google a certificate. The incident was posted as bellow on Twitter. How did this happen?
The Gogo Inc. is a company providing inflight broadband services. In 2014, a man-in-the-middle attack had been found on Gogo’s Wi-Fi services reported by Felt. In 2016, another cyber security issue had been reported by Petrow (Petrow, 2016). Ironically, with these issues, Gogo in their official website emphasizes that cyber security is in its DNA.(Gogo, Inc.)
To what Felt’s experienced, Gogo responded that this seemingly man-in-the-middle attack was a technique used by them to save bandwidth(McAfee, 2015). However, shouldn’t they reveal that to their Wi-Fi users? How could their clients trust them again? Gogo may record users’ private data and browsing history and in turn monetize these data to make profits. Clients don’t know.
To understand this issue, basic knowledge to TLS connection is required. So, let’s compare the normal TLS connection with the one with a middle-man. The normal TLS connection includes the handshake process described bellow. In this handshake process, there is a step verifying whether the certificate kept in client’s browser is issued by a trusted issuer. In TLS 1.2, in the third step, the client verifies whether the server’s certificate is valid by checking the certificate’s issuer. The client does the same thing in TLS 1.3 in the second step. So, with this knowledge, let’s review the Gogo certificate issue. The browser complained that the certificate shown in the snapshot is issued to Google by 10.240.31.12, an untrusted issuer. That means in that handshake process, the server provided an unreliable certificate and in turn indicated that Felt might not connect to the “real“ YouTube. That is, Felt was connecting to a man-in-the-middle connecting to real YouTube and retransmitting the webpage to her.
The reason that Gogo claimed that they used man-in-the-middle as a technique to save bandwidth might be that they could know in advance what web services the user was requesting. If that service consumed too much bandwidth, they might lower the service speed or refuse providing the service.
Although it is known that Gogo created this man-in-the-middle, I still need to examine essential steps to take when a malicious man-in-the-middle attack happens. Let’s assume that this man-in-the-middle is someone working in Gogo to facilitate later discussions. To investigate how man-in-the-middle attack was launched in Gogo’s case, the investigator needs to apply OODA loop to find.
1. Observe and orient
- Wireshark is used to observe the transmitted packets in the SSL handshake. So, investigators can find the IP address of the computer as man-in-the-middle.
- Check the IP table on Felt’s laptop and save for investigation use. Also check the MAC address of the IP address of the man-in-the-middle
- Check the command history to see if there are suspicious commands used to alter IP table.
- Check the currently being connected mobile hotspot is the correct one provided by Gogo rather than provided by man-in-the-middle.
- Use another machine to check if this issue is duplicable. If it’s duplicable, save the current network environment for later debugging. Otherwise, copy Felt’s operating system to be an image for later debugging.
- Repeat these steps until finding the man-in-the-middle.
2. Decide and act
In order to keep Gogo’s business running normally, instead of being stopped by this incident, Gogo need to create a temporary clean wireless connection environment for clients. The original environments are kept for later debugging.
After finding the man-in-the-middle, if the attack was launched on an internal machine, Gogo need to check its logging-in records to check who are the suspects. Gogo need to talk to them and stakeholders related to them to understand their motivation of launching this attack, whether the data breach is caused, how to compensate and what related legal responsibility is.
If the attack was launched on an external machine, Gogo need to contact the organization which the machine belongs to, negotiate with them and consider possible lawsuits. Gogo also need to check how packets were redirected to that machine, find related stakeholders and talk to them to figure things out.
In our scenario, in order to conduct OODA loop well, the CIRT team has to contain professionals in legal, cyber security and information technology fields. Because of different backgrounds these professionals have, when Gogo select these professionals for the CIRT team, it’s important to make sure that these selected ones can communicate with each other efficiently, so they can resolve the issue in a short time.
Internally, CIRT needed to figure out why this man-in-the-middle technique was adopted, and they needed to set up policies with which strategies can be designed and reviewed.
As to risk assessment, based on ISO 27001 (CERTIKIT, 2021), Gogo need to review its Wi-Fi connection services and design risk treatment by following guidelines bellow. We assume that Gogo’s goal is to create and maintain a confidential, integral and available Wi-Fi connection environment and service.
1. Establish a risk management framework
If Gogo have a good faith with the business they are running, they should have tested their system and listed what potential risks are. That is, how to deal with these risks has to be written down and collected to become a standard procedure to which staff can refer.
Apart from that, case studies related to technological and legal issues based on real cyber security cases and crisis simulation should be scheduled as regular events. This is important because people tend to ignore important nuances when they think they live in a safe environment. However, sadly, this is not the truth. If it takes deliberate practice for people to stay vigilant, then continuous learning and brainstorming is necessary.
2. Identify risks
Identifying these risks takes four T’s process: transferring risk, tolerating risk, treating risk and terminating risk. In order to make good decisions on how to address risks, information including attack frequency, how the attack happens, how others resolve these issues, what Gogo have done and what the business strategy is for security issues has to be collected as references. The goal is that with this information Gogo can prioritize risks and find good solutions to ones with higher priority.
3. Analyze risks
After risks are identified, in order to deal with risks, Gogo need to make two sets of tests to identify whether the risks exist in the current environment or not. Tests can be divided into an essential test set and a thorough test set. An essential test set can be run and the running finishes in around an hour. Comparatively, a thorough test set is run as a daily cron job.
4. Evaluate risks
In this stage, when there is a risk, Gogo need to consider whether the risk is similar to the one that has been considered or not. If not, Gogo need to get its CIRT to discuss possible solutions. Apart from that, it’s essential for CISO to visualize or quantize risks because it’s easier for all c-level executives to understand and they may need to attend related meetings--because different executives view the business from different angles, they may prioritize risks differently. With their ideas come more solutions and inspiration.
5. Select risk treatment options
Gogo can consider “avoid” option, “modify” option, “share” option and “retain” option. I think share option, say, buying insurance is the last one for me to consider because it takes extra fees and it’s passive. If every risk is thoroughly understood and well prioritized, it’s easier for staff to choose a suitable option. Of course, if the budget is enough and all risks are considered and managed, buying insurance can be used as the final protection.
Man-in-the-middle attack is not something new, and it reveals how fragile the so-called modern technology can be. Because technology is designed by humans, in turn it can be exploited by humans. Undoubtedly, policies and regulations can help prevent these issues from happening, but key points are still humans—how humans observe, recognize and respond to crisis.
If we focus on humanity, we can find people tend to relax and in turn become slow-witted in seemingly safe environments. However, in today’s society, this attitude towards life incurs dangers and losses because of the prevalence of internet and related cyber crimes. Clearly, with persistent adversaries, ignorance is not a virtue at all.
To make people aware of this cruel realty, the good leadership comes into play. That is, a good leader leads his people to change. In this era, especially in the world of cyber security, a good leader has to guide his people to be vigilant. Apart from following rules, it’s important for a leader to train his people to reflect and think to develop instinct to judge the current situation quickly and fairly, so in turn they can make good decisions as what Felt did in this case. It’s difficult to own that insight and acumen, but we have to try.
CERTIKIT. (2021, March 19). Retrieved from https://certikit.com/iso27001-risk-assessment/
Gogo, Inc. (n.d.). Gogo Business Aviation cybersecurity summary. Retrieved from https://business.gogoair.com/ebooks-whitepapers/airborne-security-summary/
McAfee. (2015, January 12). To Preserve Bandwidth, Gogo Inflight Executes a Man-in-the-Middle Attack. Retrieved from https://www.mcafee.com/blogs/consumer/consumer-threat-reports/gogo-hacking-customers/
Nohe, P. (2019, April 30). Taking a Closer Look at the SSL/TLS Handshake. Retrieved from https://www.thesslstore.com/blog/explaining-ssl-handshake/
Paolo, R. D. (2018, July 5). Dedicated DMZ Security Architectures. Retrieved from https://www.acrosec.jp/dedicated-dmz/?lang=en
Petrow, S. (2016, February 24). I got hacked mid-air while writing an Apple-FBI story. Retrieved from https://www.usatoday.com/story/tech/columnist/2016/02/24/got-hacked-my-mac-while-writing-story/80844720/
Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved from https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
Ristic, I. (2014). Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications. Feisty Duck.
Shorter, T. (2014, February 22). Apple’s SSL Bug: Another Man-in-the-Middle Attack. Retrieved from https://blog.keyfactor.com/apples-ssl-flaw-another-man-middle-attack
swhqq. (2015, July 27). 通过伪造CA证书,实现SSL中间人攻击. Retrieved from https://blog.csdn.net/u013152718/article/details/47081541
TheMeaningfulEngineer. (2018). How does a server know that it recieved an SSL close notify? Retrieved from stackoverflow: https://stackoverflow.com/questions/45259977/how-does-a-server-know-that-it-recieved-an-ssl-close-notify
