Real-time Clock (RTC) has been widely used in various real-time systems to provide precise system time. In this paper, we reveal a new security vulnerability of the RTC circuit, where the internal storage time or timestamp can be arbitrarily modified forward or backward. The security threat of dynamic modifications of system time caused by this vulnerability is called TimeTravel. Based on acoustic resonance and piezoelectric effects, TimeTravel applies acoustic guide waves to the quartz crystal, thereby adjusting the characteristics of the oscillating signal transmitted into the RTC circuit. By manipulating the parameters of acoustic waves, TimeTravel can accelerate or decelerate the timing speed of system time at an adjustable rate, resulting in the relative drift of the timing, which can pose serious safety threats. To assess the severity of TimeTravel, we examine nine modules and two commercial devices under the RTC circuit. The experimental results show that TimeTravel can drift system time forward and backward at a chosen speed with a maximum 93% accuracy. Our analysis further shows that TimeTravel can maintain an attack success rate of no less than 77% under environments with typical obstacle items.

翻译：实时时钟（RTC）已被广泛应用于各类实时系统中，以提供精确的系统时间。本文揭示了RTC电路存在的一种新型安全漏洞，该漏洞可导致其内部存储的时间或时间戳被任意向前或向后篡改。由该漏洞引发的系统时间动态篡改安全威胁被称为TimeTravel。基于声学共振与压电效应，TimeTravel向石英晶体施加声导波，从而调整传入RTC电路的振荡信号特性。通过操控声波参数，TimeTravel能够以可调节的速率加速或减缓系统时间的计时速度，导致时序的相对漂移，这可能引发严重的安全威胁。为评估TimeTravel的严重性，我们在RTC电路下测试了九个模块和两款商用设备。实验结果表明，TimeTravel能够以选定速度向前或向后漂移系统时间，最高准确率达93%。我们的进一步分析表明，在存在典型障碍物的环境中，TimeTravel仍能保持不低于77%的攻击成功率。