When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg found out that the time used by the Protectimus SLIM TOTP hardware token can be set independently from the used seed value for generating time-based one-time passwords without requiring any authentication.
18da959eb49ff3d5b8d29ab92f7247fff8490774b451cce50831a03dc291d6c0
Advisory ID: SYSS-2021-007
Product: Protectimus SLIM NFC
Manufacturer: Protectimus
Affected Version(s): Hardware Scheme 70 / Software Version 10.01
Tested Version(s): Hardware Scheme 70 / Software Version 10.01
Vulnerability Type: External Control of System or Configuration Setting
(CWE-15)
"Time Traveler Attack"
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2021-02-04
Solution Date: -
Public Disclosure: 2021-06-16
CVE Reference: CVE-2021-32033
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Protectimus SLIM NFC is a reprogrammable time-based one-time password
(TOTP) hardware token.
The manufacturer describes the product as follows (see [1]):
"
Protectimus SLIM mini is a new generation of reprogrammable TOTP
hardware tokens. They can be used in 2FA systems based on OATH
standards, and easily reflashed using an application installed on your
NFC-capable Android smartphone. It allows the user to determine the
OTP’s expires (30 or 60 seconds), and also set up a secret key.
"
Due to a design error, the time (internal real-time clock) of the
Protectimus SLIM TOTP hardware token can be set independently from the
used seed (secret key) for generating one-time passwords without any
required authentication.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg
found out that the time used by the Protectimus SLIM TOTP hardware token
can be set independently from the used seed value for generating
time-based one-time passwords without requiring any authentication.
Thus, an attacker with short-time physical access to a Protectimus SLIM
token can set the internal real-time clock (RTC) to the future,
generate one-time passwords, and reset the clock to the current time.
This allows for generating valid future time-based one-time passwords
without having further access to the hardware token.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
For demonstrating the time traveler attack exploiting the described
security vulnerability, Matthias Deeg developed a Lua script for the
Proxmark3 [2].
The following output exemplarily shows a successful attack for
generating a valid future one-time password for an attacker-chosen point
in time against a vulnerable Protectimus SLIM TOTP hardware token:
[usb] pm3 --> script run hf_14a_protectimus_nfc -t 2021-03-14T13:37:00+01:00
[+] executing lua
/home/matt/research/proxmark3/client/luascripts/hf_14a_protectimus_nfc.lua
[+] args '-t 2021-03-14T13:37:00+01:00'
[+] Found token with UID 3F10000323540E
[+] Set Unix time 1615725420
[!] Please power the token and press <ENTER>
[+] The future OTP on 2021-03-14T13:37:00+01:00 (1615725420) is 303831
[+] Set Unix time 1612451460
[+] finished hf_14a_protectimus_nfc
A SySS proof of concept video illustrating this security Vulnerability
is available on our SySS Pentest TV YouTube channel [5].
The developed Lua script for Proxmark3 is available on our GitHub
site [6].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS is not aware of a solution for the described security issue.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2021-02-04: Vulnerability reported to manufacturer
2021-02-04: Manufacturer acknowledges receipt of security advisory and
asks for further information
2021-02-05: SySS provides further information to manufacturer
2021-06-16: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Protectimus SLIM NFC
https://www.protectimus.com/protectimus-slim-mini/
[2] Proxmark3 GitHub repository by the RFID Research Group
https://github.com/RfidResearchGroup/proxmark3
[3] SySS Security Advisory SYSS-2021-007
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-007.txt
[4] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[5] SySS Proof of Concept Video: To the Future and Back - Attacking a
TOTP Hardware Token
https://www.youtube.com/watch?v=C0pM6TIyvXI
[6] Protectimus SLIM NFC Lua script for Proxmark3
https://github.com/SySS-Research/protectimus-slim-proxmark3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en