During a research project, SySS IT security expert Matthias Deeg found a security issue in the RFID-based TOTP hardware token Protectimus SLIM NFC. Due to a design error, the time (internal real-time clock) of this time-based one-time password (TOTP) hardware token can be set independently from the used cryptographic secret key (seed value) for generating one-time passwords without any required authentication.
Thus, an attacker with short-time physical access to a Protectimus SLIM token can set the internal real-time clock (RTC) to the future, generate one-time passwords at will, and afterwards reset the clock to the current time. This allows for generating valid future time-based one-time passwords without having further access to the hardware token. From a security perspective, this is an undesired property for this kind of security device.
The described time traveler attack against the Protectimus SLIM NFC is demonstrated in our SySS PoC video To the Future and Back - Attacking a TOTP Hardware Token.