-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-007 Product: Protectimus SLIM NFC Manufacturer: Protectimus Affected Version(s): Hardware Scheme 70 / Software Version 10.01 Tested Version(s): Hardware Scheme 70 / Software Version 10.01 Vulnerability Type: External Control of System or Configuration Setting (CWE-15) "Time Traveler Attack" Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-02-04 Solution Date: - Public Disclosure: 2021-06-16 CVE Reference: CVE-2021-32033 Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Protectimus SLIM NFC is a reprogrammable time-based one-time password (TOTP) hardware token. The manufacturer describes the product as follows (see [1]): " Protectimus SLIM mini is a new generation of reprogrammable TOTP hardware tokens. They can be used in 2FA systems based on OATH standards, and easily reflashed using an application installed on your NFC-capable Android smartphone. It allows the user to determine the OTP’s expires (30 or 60 seconds), and also set up a secret key. " Due to a design error, the time (internal real-time clock) of the Protectimus SLIM TOTP hardware token can be set independently from the used seed (secret key) for generating one-time passwords without any required authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg found out that the time used by the Protectimus SLIM TOTP hardware token can be set independently from the used seed value for generating time-based one-time passwords without requiring any authentication. Thus, an attacker with short-time physical access to a Protectimus SLIM token can set the internal real-time clock (RTC) to the future, generate one-time passwords, and reset the clock to the current time. This allows for generating valid future time-based one-time passwords without having further access to the hardware token. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating the time traveler attack exploiting the described security vulnerability, Matthias Deeg developed a Lua script for the Proxmark3 [2]. The following output exemplarily shows a successful attack for generating a valid future one-time password for an attacker-chosen point in time against a vulnerable Protectimus SLIM TOTP hardware token: [usb] pm3 --> script run hf_14a_protectimus_nfc -t 2021-03-14T13:37:00+01:00 [+] executing lua /home/matt/research/proxmark3/client/luascripts/hf_14a_protectimus_nfc.lua [+] args '-t 2021-03-14T13:37:00+01:00' [+] Found token with UID 3F10000323540E [+] Set Unix time 1615725420 [!] Please power the token and press [+] The future OTP on 2021-03-14T13:37:00+01:00 (1615725420) is 303831 [+] Set Unix time 1612451460 [+] finished hf_14a_protectimus_nfc A SySS proof of concept video illustrating this security Vulnerability is available on our SySS Pentest TV YouTube channel [5]. The developed Lua script for Proxmark3 is available on our GitHub site [6]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS is not aware of a solution for the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-02-04: Vulnerability reported to manufacturer 2021-02-04: Manufacturer acknowledges receipt of security advisory and asks for further information 2021-02-05: SySS provides further information to manufacturer 2021-06-16: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Protectimus SLIM NFC https://www.protectimus.com/protectimus-slim-mini/ [2] Proxmark3 GitHub repository by the RFID Research Group https://github.com/RfidResearchGroup/proxmark3 [3] SySS Security Advisory SYSS-2021-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-007.txt [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] SySS Proof of Concept Video: To the Future and Back - Attacking a TOTP Hardware Token https://www.youtube.com/watch?v=C0pM6TIyvXI [6] Protectimus SLIM NFC Lua script for Proxmark3 https://github.com/SySS-Research/protectimus-slim-proxmark3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAmDIrr8ACgkQ2aS/ajSt TavEsBAAmfY2mDmF+F35XWhqcDn/935bLFDZTuNRwdijYfMFtOlSelh/UTLa+1Xd Ff5qBD7ATVpEjhp5ZN12MsBCi7Udv69b7a6vwUri2W44Jhgcya+IUSpBbFkUWFZz BTxCQgv2DsKwKA6QqZJpF0MnRWtG8n9VW+J5u2q7ZpIQco1G+PU7TlvcDwZTep7X dgnNqVc0kx6yg0bxXvGtR/fIySV1dchyGjhCNORdmUf2lToPCaJxApDSnSXP5lBG 4qcgMgXtC8ykJSHNaA5lDYjDCdCZliLSRPPxK30oxSWmbxsJheJPyytA+Vqm8gXw sOXfm52bEPdoG9aJIHowttIUD42S6dqtB2Exr6e6YhXkydx2/10g75CsctQFDR2u Ekhh88ZIzBPjKYdJMCjVA+fSnCxMvgxjPVS6Zx6TIsXRndh0yQGcpIyfuKSNImW2 z5cXVWPYj+q0kWY9Y2JRLA/5Xy7JsGdrOztu2aNw+kJGtA6JdChSuC6mO5wr4NuJ RWJJhB+/A1Qypg12NdWKVzD9ZvNKXeHI9+wLPRoc+TbprQ+6v7g1D4/Y/ndZncgS thlU65DSoGLo2TFFRxcpPFRPWDRzF+qhqtWB2z56iC6BA4i3GFLH+VfQoZY0QYOF riEHECMvizY41YBfSblBVf11Czhe05Mbgzp9XPFNTyzbsngEQvQ= =bCSd -----END PGP SIGNATURE-----