CVE-2018-9119 in FUZE Card
Summary
by MITRE
An attacker with physical access to a BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4) can unlock the card, extract credit card numbers, and tamper with data on the card via Bluetooth because no authentication is needed, as demonstrated by gatttool.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/22/2020
The vulnerability identified as CVE-2018-9119 represents a critical security flaw in BrilliantTS FUZE card systems that exposes sensitive financial data through improper authentication mechanisms. This issue affects specific firmware versions including MCU firmware 0.1.73 and BLE firmware 0.7.4, creating a significant risk for users who rely on these cards for payment processing and data storage. The vulnerability stems from the absence of any authentication requirements during Bluetooth communication, allowing unauthorized individuals to exploit the system through physical access.
The technical implementation of this flaw involves the Bluetooth Low Energy communication protocol used by the BrilliantTS FUZE card, where attackers can utilize standard tools like gatttool to establish connections without requiring proper credentials or authorization. This lack of authentication creates an attack surface that directly violates fundamental security principles, as the system fails to implement any form of cryptographic authentication or access control mechanisms. The vulnerability operates at the application layer of the communication stack, specifically targeting the Bluetooth profile implementation that governs data exchange between the card and external devices.
From an operational perspective, this vulnerability presents a severe risk to cardholders and organizations using these payment cards, as it enables complete compromise of the card's security features. An attacker with physical access can unlock the card and extract credit card numbers, which directly maps to CWE-312 (Sensitive Data Exposure) and CWE-287 (Improper Authentication). The ability to tamper with data on the card further compounds the risk, potentially allowing for financial fraud, identity theft, and unauthorized transactions that could result in significant monetary losses for both individuals and businesses relying on these payment systems.
The impact of this vulnerability extends beyond immediate financial theft to include broader security implications for the entire payment ecosystem. Organizations using BrilliantTS FUZE cards face potential regulatory compliance issues, as the vulnerability violates security standards such as those outlined in the Payment Card Industry Data Security Standard (PCI DSS) which requires proper authentication and access controls. The attack vector through physical access combined with Bluetooth communication creates a particularly dangerous scenario where even users who believe their cards are secure can unknowingly expose sensitive information. Mitigation strategies should include immediate firmware updates, implementation of stronger authentication mechanisms, and potentially the deployment of additional security layers such as secure element encryption or hardware-based authentication tokens that would prevent unauthorized access through the Bluetooth interface.