FUZE Bluetooth Credit Card is Vulnerable to Hacking over Bluetooth

Orange Pi Development Boards

FUZE Card is a Bluetooth enabled card with ePaper display that can store up to 30 real credit card. You’d program credit cards into it via Bluetooth Smart (BLE) using a smart phone app, and use it like a normal credit card while paying, after selecting the card you want to use. It’s more convenient than carrying many cards, and more secure since part of the number are hidden (shown as stars ****), so whoever get your card can’t easily make a copy of the information.

A problem however is that according to ICE9 Consulting, there’s a security vulnerability that allows credit card numbers to be stolen via Bluetooth: CVE-2018-9119.

The full details can be found on ICE9 blog post. They started to make a X-Ray to find out about the main components see (photo below), and the reverse-engineered the Bluetooth protocol using an Android smartphone, and software tools such as Burp Suite (optional),Wireshark + crusty Perl scripts, and gatttool / BlueZ.

Click to Enlarge

Read their blog post for the full details about the Bluetooth protocol used and vulnerability, but the takeaway is that an attacher with physical access to a FUZE card can:

  1. Bypass the lock screen.
  2. Read credit card numbers with expiration date and CVV.
  3. Tamper with data on the card.

The card is described and the vulnerability showcased in the video below.

ICE9 Consulting has tried to contact the company making the card (BrilliantTS), but did not get feedback until the flaw was made public, and now the company plans a fix on April 19 with both new firmware and mobile apps.

This vulnerability affects MCU firmware 0.1.73 and BLE firmware 0.7.4, and all cards are affected. If you own such FUZE card take good care of it, and avoid using it until its firmware is updated.

Leave a Reply

6 Comments on "FUZE Bluetooth Credit Card is Vulnerable to Hacking over Bluetooth"

avatar
  Subscribe  
newest oldest most voted
Notify of
Member

And this is why i dont trust any of these “smart” IoT devices

TLS
Guest

What exactly makes this IoT? As far as I can tell, it doesn’t connect to the internet.

willy
Guest

The problem is that vendors are making stupider and less secure devices everyday just to satisfy a majority of stupid and lazy consumers who don’t care a single second about their security provided they can save 3 seconds on average in payment time. The day banks and insurances will refuse to refund losses in case of manipulation error, communication hijacking or device intrusion over the air, things may have a chance to change. Until then it’s out of luck sadly, and we have to suffer from these new devices replacing the previous ones.

theguyuk
Guest

The way to secure devices is money. Make the Bank, card company and shop, liable for 5 times what is stolen. Theft will be eradicated over night. At present they just put the cost on, accounts administration charges.

willy
Guest

Will not work : if such a rule is put in place, the next year a law will appear increasing the charges against attackers. Right now if an ATM has a vulnerability and you exploit it to retrieve more money than you paid for, guess whom is sued ? Not the bank, not the ATM vendor, you. Incompetence is protected by law in many countries.

Juyang
Guest