Medium SeverityInfrastructure

Man-in-the-Middle Attacks

When attackers intercept your AI communications

Without proper encryption, attackers can intercept and modify communications between your AI agent and external services, stealing data or injecting malicious responses.

What is MITM Attacks?

A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and potentially alters communication between two parties. For AI agents, this means intercepting:

- Prompts sent to the AI - Responses from LLM providers - API calls to external services - Data transfers to databases - Authentication tokens and credentials

MITM attacks are possible when encryption is missing, misconfigured, or can be bypassed. In self-hosted environments, proper TLS configuration is often overlooked, leaving communications vulnerable.

How MITM Attacks Works

No Encryption

Traffic sent over HTTP instead of HTTPS can be read by anyone on the network path.

Certificate Bypass

Disabling certificate verification (common in development) allows fake certificates.

DNS Hijacking

Redirecting domain lookups to attacker-controlled servers.

ARP Spoofing

On local networks, redirecting traffic through the attacker's machine.

SSL Stripping

Downgrading HTTPS connections to HTTP through proxy manipulation.

Rogue Access Points

Fake WiFi networks that intercept all traffic.

Real-World Example

A developer working from a coffee shop:

1. Connected to what they thought was the shop's WiFi 2. It was actually an attacker's rogue access point 3. Their AI agent made API calls over HTTP (not HTTPS) 4. The attacker captured their OpenAI API key from the traffic 5. The key was used to generate thousands of dollars in API charges 6. Malicious responses were also injected, causing the AI to behave unexpectedly

This attack is trivial to execute with freely available tools.

Potential Impact

Theft of API keys and credentials

Interception of sensitive data in transit

Injection of malicious AI responses

Session hijacking and impersonation

Manipulation of AI behavior

Compliance violations for unencrypted data

Self-Hosted Vulnerabilities

When you self-host your OpenClaw, you're responsible for addressing these risks:

HTTPS not configured or misconfigured

Self-signed certificates not properly validated

Certificate verification disabled for convenience

Internal traffic often unencrypted

No certificate pinning

Development configurations used in production

How Clawctl Protects You

Clawctl includes built-in protection against mitm attacks:

TLS Everywhere

All traffic is encrypted with modern TLS 1.3. No HTTP, no exceptions.

Managed Certificates

Certificates are automatically provisioned and renewed. No self-signed certs.

Certificate Pinning

Critical connections use certificate pinning to prevent MITM even with compromised CAs.

Secure Defaults

Security configurations are hardened by default. No insecure development settings in production.

Network Monitoring

Unusual network patterns that might indicate MITM attempts trigger alerts.

General Prevention Tips

Whether you use Clawctl or not, follow these best practices:

Always use HTTPS for all communications

Never disable certificate verification

Use certificate pinning for critical connections

Be cautious on public WiFi networks

Use VPNs when working remotely

Monitor for certificate anomalies

Don't risk mitm attacks

Clawctl includes enterprise-grade protection against this threat and many others. Deploy your OpenClaw securely in 60 seconds.

Deploy Securely — $49/mo View All Threats

More Threats

Privilege Escalation

DoS Attacks