CVE-2018-9119

Vulnerability

The BrilliantTS FUZE Card (MCU firmware 0.1.73, BLE firmware 0.7.4) lacks authentication for Bluetooth Low Energy (BLE) commands. An attacker with physical access to the card can connect via BLE using tools like gatttool without any pairing or PIN verification [1][2][3]. This allows full read/write access to the card's memory, including stored credit card data.

Exploitation

An attacker needs physical proximity to the card (within BLE range, ~10 meters) and physical access to the card itself (e.g., from a wallet or purse). No authentication is required. Using a standard BLE adapter and gatttool, the attacker can enumerate services and characteristics, then read the card's memory to extract credit card numbers, expiration dates, and CVV codes [2][3]. The same method can be used to write arbitrary data, tampering with stored cards.

Impact

Successful exploitation results in complete disclosure of all stored payment card information (credit card numbers, expiration dates, CVV) and the ability to modify or delete card data [1][2]. The attacker gains the ability to clone cards or alter the device's behavior, leading to financial fraud and identity theft. No user interaction is required beyond the attacker having physical access to the card.

Mitigation

As of the disclosure date (2018-04-04), no firmware update was available. The vendor, BrilliantTS, was notified in January 2018 but did not respond initially [3]. Later, in April 2018, they announced a planned firmware update for 2018-04-19 to address the issue [2]. Users are advised to maintain physical control of the card and consider discontinuing use until a patch is applied [3]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.