Wednesday, April 4, 2018 By Mike Ryan
This article covers FUZE Card, a Bluetooth-enabled reprogrammable credit card. The size and shape of a regular credit card, FUZE promises to be "your whole wallet in one card."
After receiving a FUZE Card from @MBHbox (his blog), I decided to take a careful look at it. In the process, I X-rayed the card, fully reverse engineered its Bluetooth protocol, and found a security vulnerability that allows credit card numbers to be stolen via Bluetooth (CVE-2018-9119).
ICE9 reported this vulnerability to BrilliantTS, the maker of FUZE, but they did not respond to repeated follow-ups and did not take action on the basis of our report. As of this writing, CVE-2018-9119 continues to be exploitable on production FUZE Cards in the wild.
Full Article.