---
# System prepended metadata

title: IoT SSL/TLS MITM Attack

---

# IoT SSL/TLS MITM Attack

The following figure depicts the experimental setting.

![](https://i.imgur.com/7qwEB8c.png)

## Ettercap

Install the latest version of Ettercap from its [GitHub repository](https://github.com/Ettercap/ettercap).

Installation details are described in README and INSTALL in the repository.

Edit Ettercap configuration file, so that...
- During operation, Ettercap remains with root privilege.
- SSL/TLS packets are forwarded to the Ettercap SSL dissection component.

```
sudo vim /etc/ettercap/etter.conf
```

![](https://i.imgur.com/m2QQm8c.png)

![](https://i.imgur.com/Ey4yTd1.png)

Run Ettercap with superuser privilege.
- `-L`: log all packets sniffed by Ettercap, together with all the passive information (e.g. host info., useranem, and password) it can collect.
- `-G`: run in GUI mode.

```
sudo /path/to/ettercap -L ettercap -G
```

Note: by default, Ettercap forges SSL certificates in order to intercept HTTPS traffic. This feature can be disabled by specifying `-S` option.

**Start sniffing**

- Choose the network interface to be sniffed.
- Click "Accept" button to start sniffing.

![](https://i.imgur.com/yiQVPSX.png)

**Scan hosts in the LAN**

- Click "Scan for hosts" button.
- Click "Hosts list" button to see the hosts found by Ettercap.

![](https://i.imgur.com/4OvRKLH.png)

**Select targets to be spoofed**

- In the "Host List" tab,
    - Select the row which corresponds to the Wi-Fi router, and click "Add to Target 1" button.
    - Select the row which corresponds to the IoT device, and click "Add to Target 2" button.

![](https://i.imgur.com/WDOq1hk.png)


- Select "Options" -> "Targets" -> "Current targets" to examine the targets selected.

Note: there is no concept of SOURCE nor DESTINATION. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).

![](https://i.imgur.com/RUljpXU.png)

**Perform ARP spoofing**

- Select "MITM menu" -> "ARP poisoning..."

![](https://i.imgur.com/kjbwMTx.png)

- Tick "Sniff remote connections." checkbox, and click "OK" button.

![](https://i.imgur.com/FgKSIWR.png)

**Stop MITM attack**

1. Click "Stop MITM" button to stop the attack.

![](https://i.imgur.com/2mlpYEV.png)

Examine log files created by Ettercap.

```
etterlog ettercap.ecp
etterlog ettercap.eci
```

## Wireshark

On the attacker machine, use Wireshark to capture packets exchanged between the IoT device and the IoT server.

```
sudo wireshark
```

It can be observed that the authentic server certificate has been replaced by Ettercap with a forged one, and sent to the IoT device.

![](https://i.imgur.com/UNFunLp.png)