(Image: Kevin Mitnick/ZixCorp)
Wiretapping isn’t as difficult as you might think.
Kevin Mitnick, a former black hat hacker turned security consultant, can do it in just a few minutes. Using a test-bed setup, Mitnick demonstrates in a video first published earlier this year how to perform a man-in-the-middle attack to get access to your email, your passwords, and even your bank account by tapping into a commonly-used fiber optic connection.
Anyone with basic, off-the-shelf equipment can do the same. Using a fiber optic coupler, Mitnick is able to conduct a simple wiretap without breaking into the fiber itself.
From there, he’s able to demonstrate accessing emails on the wire, passwords, and other content, highlighting not only how weak our networks are by default but also how important encryption is to everyone.
The attack is almost impossible to detect, but it is entirely preventable. Good encryption is the answer, said Mitnick.
And it can’t come at a more relevant time.
The US government have in recent months complained at the lack of access to user data, because companies — like Apple and Google — are employing zero-knowledge encryption systems, meaning they can’t be subpoenaed. Now, the feds have to go to the very people they are investigating or prosecuting.
Governments are hungry to crack encryption, or outlaw it, which they say would prevent terrorist attacks — even though there is no evidence to support such claims. Often neglected is the hacker argument: The small number of those who use encrypted communications for malicious purposes cannot undo the vast and overwhelming good that it serves to protect others against hackers and malicious actors.
Mitnick said anyone using this wiretapping technique can be “an NSA for the day,” referring to the National Security Agency. With the help of its British counterpart, is known to have tapped the bulk of submarine fiber optic cables, giving them unprecedented access to the world’s communications.
“When properly used, browser HTTPS access protects the path to the user to and from his or her mail service,” said ZixCorp executive Geoff Bibby. But, he warned, it does nothing to prevent messages when they traverse the web, unless both the sender and reciever’s email services use encryption.