Whatever you do, don’t give this programmable payment card to your waiter
The makers of the programmable Fuze smart card say it's powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.
Fuze representatives said they're aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.
Faulty assumptions
Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan's rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.
Ryan said the vulnerability appeared to stem from an "oversight around assumptions of who would be able to communicate with the card." The assumption seemed to be that "if someone got hold of your card, they would never try to pair the card over Bluetooth and download the data." He reported the vulnerability here last week. A video of his exploit is below.
Stealing credit cards from FUZE over Bluetooth - CVE-2018-9119
The founder of security firm ICE9 Consulting, Ryan found the vulnerability using an X-ray machine and forensic software tools to thoroughly reverse engineer the inner workings of the Fuze. After analyzing the pairing process and the way the app communicated with the card, he quickly discovered it was possible for anyone with physical control to view or tamper with all the secret data it was designed to securely store.
Fuze officials deserve credit for fixing the flaw and setting up a dedicated email address to receive security vulnerability reports after Ryan had trouble getting his initial messages answered. But the lack of an adequate security advisory shows the company still has more improvements to make. The company should make it clear that, until the update is installed, Fuze users should always maintain tight control of their cards and not hand them to waiters as suggested on its website.
The promise of the Fuze is alluring: a single payment card-sized device that electronically stores data for dozens of other cards. With the press of a button, the user can choose the card to be billed and either swipe the card at a point-of-sale terminal or hand it to the merchant. The Fuze will seamlessly change the data displayed on its magnetic stripe.
The vulnerability is a reminder that sound security often works at cross purposes with the type of convenience Fuze is promising. The company's website devotes a large amount of space to the features it offers and the ease of using them, but it offers comparatively little space to describing its security.