Threats

MITM

A man-in-the-middle attack intercepts or alters traffic between two parties who think they are communicating directly.

  • Attackers must position themselves between the victim and the target service.
  • Certificate validation failures are a primary indicator of a MITM attempt.
  • ARP spoofing and rogue Wi-Fi access points are common on-path techniques.
  • Encrypted traffic protects content but does not prevent metadata collection.
  • HSTS and certificate pinning reduce the window for TLS-based MITM attacks.

What is it and why it matters

A man-in-the-middle (MITM) attack occurs when an adversary secretly relays and possibly alters the communication between two parties who believe they are talking directly to each other. The attacker can capture login credentials, session tokens, financial details, or inject malicious payloads into otherwise legitimate data flows. MITM is particularly relevant for security professionals because it exploits trust in network infrastructure and cryptographic systems — two foundations that most security architectures depend on. Even encrypted traffic can be vulnerable if certificate validation is weak or if the attacker has compromised a trusted certificate authority.

Real world examples

  • Superfish / Lenovo adware (2015) — Lenovo pre-installed Superfish adware that installed a self-signed root CA certificate on consumer laptops, enabling MITM interception of all HTTPS traffic for ad injection.
  • NSA QUANTUM insert program — An NSA program that used packet injection to redirect targets to malicious servers faster than the legitimate server could respond, enabling MITM exploitation at internet scale.
  • DarkHotel APT (2014) — An APT group used hotel Wi-Fi networks as MITM platforms, serving fake software update prompts to targeted executives staying at luxury hotels.