Implementasi SMS-Based One-Time Password Stealing Attack pada Akun Aplikasi Android menggunakan Digispark Atitiny85

Authors

  • Asep Setiawan Badan Siber dan Sandi Negara
  • Ryan Muhammad Azizulfiqar Kamajaya Badan Siber dan Sandi Negara

DOI:

https://doi.org/10.56706/ik.v18i1.89

Keywords:

android, badUSB, digispark, attiny85, eksploitasi, pencurian OTP

Abstract

One-Time Password (OTP) yang mendominasi bidang otentikasi pengguna selama dekade terakhir, merupakan musuh utama bagi setiap penyerang yang mencoba mengakses sensitif informasi. Pakar keamanan khawatir bahwa spoofing pesan SMS dan serangan man-in-the-middle (MITM) dapat digunakan untuk merusak sistem 2FA yang mengandalkan one-time password. Pencurian OTP dapat dilakukan dengan berbagai saluran serangan, salah satunya adalah akses fisik ke perangkat, yakni malware seluler yang mencuri pesan SMS OTP. Serangan telepon seluler dapat dilakukan juga melalui micro-USB dengan menggunakan tampilan antar muka yang umum pada port micro-USB pada telepon seluler. Tujuan dari penelitian ini adalah untuk mengimplementasikan serangan SMS-based OTP stealing attack pada aplikasi Android menggunakan Digispark Attiny85. Metode yang digunakan menggunakan Software Development Lifecycle dengan pendekatan extreme programming. Pada penelitian ini, penulis membuat dua buah skenario penyerangan untuk mencuri OTP berbasis SMS milik korban. Skenario live attack beroperasi dengan memanfaatkan injeksi langsung Digispark Attiny85 ke device korban, sedangkan skenario remote attack memanfaatkan malware yang diunduh melalui script yang diinjeksikan dari Digispark Attiny85. Pengujian menggunakan metode path testing untuk pengujian hardware dan scenario testing untuk pengujian software. Pengujian skenario diterapkan pada beberapa aplikasi antara lain aplikasi mobile banking, dompet digital, instant messaging, dan e-commerce. Hasil penelitian menunjukkan keberhasilan implementasi dari SMS-based OTP Stealing Attack berbasis SMS dalam mengambil OTP akun dari beberapa aplikasi Android korban terbukti dari hasil path testing dan scenario testing.

References

I. Tzemos, A. P. Fournaris and N. Sklavos, "Security and Efficiency Analysis of One Time Password Techniques," Proceedings of the 20th Pan-Hellenic Conference on Informatics, no. 67, pp. 1-5, 2016.

Y. Huang, Z. Huang, H. Zhao and X. Lai, "A new One-time Password Method," International Conference on Electronic Engineering and Computer Science , vol. 4, pp. 32-37, 2013.

Thales, "One Time Password (OTP, TOTP) : definition, examples," Thales, 2018. [Online]. Available: https://www.thalesgroup.com/en/markets/digital-identity-and-security/technology/otp. [Accessed 11 Desember 2022].

C. Yoo, B.-T. Kang and H. K. Kim, "Case study of the vulnerability of OTP implemented in internet banking systems of South Korea," Springer Science+Business Media New York , pp. 1-15, 2014.

S. Hamdare, V. Nagpurkar and J. Mittal, "Securing SMS Based One Time Password Technique from Man in the Middle Attack," International Journal of Engineering Trends and Technology (IJETT), vol. 11, no. 3, pp. 154- 158, 2014.

K. Richard, "One-Time Password (OTP)," Techtarget, September 2021. [Online]. Available: https://www.techtarget.com/searchsecurity/definition/one-time-password-OTP. [Accessed 11 Desember 2022].

Y. Cox, "Your OTP is hacked! Here’s how hackers are stealing your personal information," Zeenews, 19 Maret 2021. [Online]. Available: https://zeenews.india.com/technology/your-otp-is-hacked-here-s-how-hackers-are-stealing-your-personal-information-2349019.html. [Accessed 21 November 2022].

A. N. Firdaus, H. E. Wahanani and M. Idhom, "Uji Serangan Remote Exploit Pada Telepon Seluler IOS Menggunakan Digispark Attiny85," Jurnal Informatika dan Sistem Informasi, vol. 1, no. 2, pp. 557-562, 2020.

H. Lu, Y. Wu, S. Li, Y. Lin, C. Z. and F. Zhang, "BADUSB-C: Revisiting BadUSB with Type-C," Southern University of Science and Technology, pp. 1-12, 2021.

K. Aravindhan and R. R. Karthiga, "One-time Password: A Survey," International Journal of Emerging Trends in Engineering and Development, vol. 1, no. 3, pp. 613-623, 2013.

K. Alghathbar and H. A. Mahmoud, "Noisy Password Scheme: A New One Time Password System," IEEE, pp. 841-846, 2009.

electronics-lab.com, "Intruduction to Digispark- A Smaller, Cheaper and Powerful Arduino Board," electronics-lab.com, 4 April 2018. [Online]. Available: https://www.electronics-lab.com/introduction-digispark-smaller-cheaper-powerful-arduino-board/. [Accessed 23 November 2022].

S. POTOCKÝ and J. ŠTULRAJTER, "The Human Interface Device (HID) Attack on Android Lock Screen Non-Biometric Protections and It Computational Complexity," Science and Military, pp. 29-36, 2022.

J. Sanal, "How DIY USBs are used to Hack Computers? HID Attack using Digispark & Arduino," Hackers Grid, 25 Mei 2022. [Online]. Available: https://hackersgrid.com/2022/05/usb-hid-attacks.html. [Accessed 29 November 2022].

F. Griscioli, M. Pizzonia and M. Sacchetti, "USBCheckIn: Preventing BadUSB Attacks by Forcing Human-Device Interaction," Annual Conference on Privacy, Security and Trust, pp. 1-4, 2016.

A. Dennis, B. H. Wixom and R. M. Roth, System Analysis and Design, United States of America: John Wiley & Sons, Inc., 2012.

V. P. Katiyar and M. S. Patel, "White-Box Testing Technique For Finding Defects," Globa Journal For Research Analysis , vol. 8, no. 7, pp. 1-3, 2019.

C. Kaner, "An Introduction to Scenario Testing," 2013. [Online].

A. R. Pasha, "Awas Rekening Dibobol, Begini 6 Cara Jaga Kode OTP," Cermati, 3 Mei 2023. [Online]. Available: https://www.cermati.com/artikel/cara-jaga-kode-otp. [Accessed 8 Mei 2023].

A. Hidayah, "Top 7 Bank Digital Terbesar, Juaranya Melesat Sendirian," CNBC Indonesia, 23 November 2022. [Online]. Available: https://www.cnbcindonesia.com/market/20221123093109-17-390387/top-7-bank-digital-terbesar-juaranya-melesat-sendirian. [Accessed 18 Agustus 2023].

A. P. Brilian, "Survei: 71% Orang RI Pakai Dompet Digital, Mana yang Paling Laris?," detikfinance, 29 November 2022. [Online]. Available: https://finance.detik.com/fintech/d-6433675/survei-71-orang-ri-pakai-dompet-digital-mana-yang-paling-laris. [Accessed 8 Mei 2023].

C. S. Wulandari, "Dompet Digital Naik Daun, Membetot Minat kala Pandemi," BI Institute, 31 Maret 2023. [Online]. Available: https://www.bi.go.id/id/bi-institute/BI-Epsilon/Pages/Dompet-Digital--Naik-Daun,-Membetot-Minat-Kala-Pandemi.aspx. [Accessed 18 Agustus 2023].

A. Ahdiat, "5 E-Commerce dengan Pengunjung Terbanyak Kuartal IV 2022," Databoks, 31 Januari 2023. [Online]. Available: https://databoks.katadata.co.id/datapublish/2023/01/31/5-e-commerce-dengan-pengunjung-terbanyak-kuartal-iv-2022. [Accessed 18 Agustus 2023].

D. Angelia, "Aplikasi Pesan Instan dengan Pengguna Terbanyak di DUnia 2022," Goodstats, 20 April 2022. [Online]. Available: https://goodstats.id/article/aplikasi-pesan-instan-dengan-pengguna-terbanyak-di-dunia-2022-3tggF. [Accessed 5 Mei 2023].

Tim Redaksi, "Aplikasi Chatting Paling Banyak Pengguna di Indonesia," Pewarta.co.id, 10 Maret 2022. [Online]. Available: https://www.pewarta.co.id/2022/03/aplikasi-chatting-paling-banyak-pengguna-di-indonesia.html. [Accessed 18 Agustus 2023].

M. Rouse, "Remote Attack," Techopedia, 9 September 2013. [Online]. Available: https://www.techopedia.com/definition/4078/remote-attack. [Accessed 11 April 2023].

Downloads

Submitted

01-12-2023

Accepted

07-05-2024

Published

28-05-2024

Issue

Section

Articles