To the Future and Back: Hacking a TOTP Hardware Token (Protectimus SLIM NFC)

Ich liebe diese PoC Videos

Great Scott! ;)

Are you alright? Soooo, to use this "attack", you have to own the token for some time to reprogram the time, get the codes and program it back, right? If you, ex. stole the token, isn't it easier to just receive access? Useless.

Hi there, I’m Max from Protectimus. Thank you for your research. I’d just like to clarify that Protectimus Slim NFC tokens are available in two modifications, and the clients can choose which one is preferable for them. The client can choose the size and the firmware when ordering the tokens.

The first modification doesn't allow setting up the current time value without the secret key, which makes the time traveler attack impossible.

The second one allows setting up the current time value without entering the secret key, as you did with the help of your script. This firmware remains available as it's easier to use such tokens with some specific authentication services like Duo, etc. Some of our clients require exactly that firmware. This approach really makes the tokens vulnerable to the time-traveler attack. Still, it should be understood that the attacker needs to have physical access to the token to perform this kind of attack. At the same time, if anyone has physical access to the token, they don't need any special skills or scripts to hack the account of the owner of this token. It's enough to use the current OTP from the hardware token they have in their hands. The whole idea of hardware tokens is to keep them safe all the time, not allowing somebody to get hold of the device.

Very cool!

Very interesting. ReinerSCT Authenticator AFAIK is German-made hardware TOTP that allows "syncing" of time via QR. It has to have that mechanism (e.g. after battery depletion)

Can you check if your exploit works on it as well?