Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Elementary Threat · BSI IT-Grundschutz

G 0.43 — Replaying of Messages

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.15A.5.29A.7.9A.7.13A.8.1A.8.3A.8.5A.8.7A.8.16A.8.17A.8.20A.8.21A.8.22A.8.23A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

Two business partners negotiate a major order by email. What neither of them suspects: an attacker has slipped into the mail traffic. He reads along, changes the bank details in the final invoice and forwards the message unchanged. The transfer of 95,000 euros lands in the attacker’s account. Both sides notice the fraud only weeks later.

The replaying of messages — whether as a man-in-the-middle attack or as a replay attack — counts among the technically most elegant threats. The BSI lists the method as elementary threat G 0.43. The attack requires the attacker to penetrate the communication channel, and that is easier in many networks than people assume.

What’s behind it?

When messages are replayed, attackers send specially prepared or previously recorded messages to systems or people in order to gain an advantage or harm the victim. They exploit protocol specifications, interface descriptions or recorded communication traffic.

Two special cases dominate in practice:

Attack vectors

The attacker records a valid message and plays it back at a later point in time unchanged (or with minimal modifications). Even encrypted authentication data can be abused this way when the protocol provides no measures against replay (e.g. timestamps, nonces or sequence numbers).

An attacker who records a user’s login process can later use the recorded packets to impersonate that user — regardless of whether the password was transmitted encrypted.

The attacker positions themselves unnoticed between two communication partners. They deceive the sender into thinking they are the recipient, and the recipient into thinking they are the sender. That gives them the ability to read, modify or withhold messages — all in real time, without the communication partners noticing.

Encryption without authentication offers no protection. If the communication partners do not authenticate each other, the man-in-the-middle can establish an encrypted channel with each side and decrypt and re-encrypt the messages in between.

Practical examples

Replay attack on an order system. An employee places an approved material order through the internal system. Another employee — with access to the network — records the order message and replays it multiple times. The system processes each copy as a separate order. Only during the next inventory check does it emerge that three times as much material was delivered and paid for as was ordered.

Man-in-the-middle in a public Wi-Fi. A field-sales employee connects to the free Wi-Fi at the airport. An attacker operates a fake hotspot with an identical network name. All data traffic — including logins to web portals — flows through the attacker’s device. The employee only notices that the connection is a little slower than usual.

ARP spoofing in the local network. In an office building with several tenants, different companies share a LAN segment. An attacker in a neighbouring office poisons the ARP tables and routes a company’s entire traffic through their computer. Emails, internal web portals and even VPN connections are intercepted.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 15 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

Detection:

Response:

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.43 with the following modules:

  • NET.1.1 (Network architecture and design) — secure network architecture as a foundation against MitM attacks.
  • NET.3.2 (Firewall) — filtering and inspection of network traffic.
  • OPS.1.1.7 (System management) — secure administration over authenticated and encrypted channels.
  • APP.3.6 (DNS server) — protection against DNS spoofing, which facilitates MitM attacks.

Sources

ISO 27001 Controls Covering This Threat

A.5.15 Access control A.5.29 Information security during disruption A.7.9 Security of assets off-premises A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.3 Information access restriction A.8.5 Secure authentication A.8.7 Protection against malware A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.31 Separation of development, test and production environments

Frequently asked questions

What is a replay attack?

In a replay attack the attacker records a valid message (for example an authentication token or an encrypted password) and plays it back at a later time. The target system accepts the message as valid and grants access, even though the original sender is not involved.

Does encryption protect against man-in-the-middle attacks?

Encryption alone does not protect when the communication partners are not securely authenticated. A man-in-the-middle can pose as the other party towards both sides and route the encrypted channel through themselves. Certificate-based authentication (TLS with certificate validation) is the effective protection.

How do I recognise a man-in-the-middle attack?

Typical indicators: unexpected certificate warnings in the browser, DNS anomalies, changes to ARP tables, unexplained delays in communication. Network monitoring and certificate-based authentication make such attacks visible.