Intro

One of the latest smartwatches in the market is the new Fitbit Ionic. It has technology to make NFC(Near Field Communication) payments called: Fitbit Pay. This company already has support from many different banks. Some of the most important in US are Bank of America, Wells Fargo and US Bank.

I had to clarify that I did not have opportunity to test any other smartwatches like Samsung Gear or Apple iWatch to compare with Ionic, so I am not sure if they share similarities with its NFC technology.

Talking about assumptions, I thought that the Ionic Fitbit Pay implemented a specific/documented NFC chip model, but I could not find any documentation relating a specific hardware nor even at its FCCID.io file.

Screen Shot 2018-02-10 at 8.58.25 PM

Setup

When I tested Fitbit Pay the first time, I noticed that the cryptogram does not change dynamically like Samsung Pay cloud-cryptogram. Fitbit Pay implements a SE(Secure Element) such as Apple Pay.

2018-02-10 21.19.27

I received different comments mentioning that how to analyze a transaction without Proxmark 3 nor an USB RFID reader. For this example, I will use the same Android device to sniff the NFC Ionic communication where I installed the Fitbit App. I am able to do this because the Fitbit Pay only requires exchange data with the phone to set up the bank card.

2018-02-10 21.19.16

After I added a Wells Fargo card to Fitbit Pay, I could make payments without a connection to the phone at all. To sniff the NFC connection I installed the Android NFC reader application.

Screen Shot 2018-02-10 at 10.02.17 PM

Sniffed Transaction

After I installed the Reader app, I was able to capture the APDU(Application Protocol Data Unit) communication:

This slideshow requires JavaScript.

v4.3.5
ATS:
00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00 // Terminal(phone)
6F 5D 84 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 A5 4B BF 0C 48 61 1A 4F 07 A0 00 00 00 03 10 10 87 01 01 9F 2A 01 03 42 03 46 50 98 5F 55 02 55 53 61 1A 4F 07 A0 00 00 00 98 08 40 87 01 02 9F 2A 01 03 42 03 46 50 98 5F 55 02 55 53 61 0E 4F 09 A0 00 00 00 98 08 40 00 01 87 01 03 90 00
00 A4 04 00 07 A0 00 00 00 03 10 10 00 //Terminal(phone) Select AID
6F 4F 84 07 A0 00 00 00 03 10 10 A5 44 9F 38 1B 9F 66 04 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 9C 01 9F 37 04 9F 4E 14 BF 0C 17 9F 4D 02 14 00 42 03 46 50 98 5F 55 02 55 53 9F 5A 05 11 08 40 08 40 50 0A 56 49 53 41 20 44 45 42 49 54 90 00
80 A8 00 00 37 83 35 F6 20 C0 00 00 00 00 00 00 01 00 00 00 00 00 00 08 40 00 00 00 00 00 08 40 18 02 10 00 47 24 BF 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 //Terminal(phone) Get Processing Options 
77 62 82 02 00 40 94 04 18 01 01 00 9F 36 02 00 07 9F 26 08 AC C8 66 0F 4C 97 59 65 9F 10 20 1F 4A 04 01 20 00 00 00 00 10 07 70 56 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9F 6C 02 00 80 57 13 XX XX D2 40 32 01 00 00 00 06 77 99 9F 9F 6E 04 24 88 00 00 9F 27 01 80 90 00
00 B2 01 1C 00 //Get SFI file
70 37 5F 28 02 08 40 9F 07 02 C0 80 9F 19 06 04 00 10 07 70 56 5F 34 01 00 9F 24 1D 56 30 30 31 30 30 31 35 38 31 37 32 34 34 30 37 38 37 33 36 39 31 31 38 37 38 37 32 35 90 00
80 CA 9F 4F 00 //Get log format
9F 4F 16 9F 36 02 9F 27 01 9F 02 06 9F 03 06 5F 2A 02 9A 03 9C 01 9F 4E 14 90 00
80 CA 9F 17 00 //read PIN – try counter
69 86
80 CA 9F 36 00 //read PIN – try counter
9F 36 02 00 08 90 00
00 A4 04 00 09 A0 00 00 00 98 08 40 00 01 00 //Terminal(phone) Select AID
6F 4F 84 07 A0 00 00 00 98 08 40 A5 44 9F 38 1B 9F 66 04 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 9C 01 9F 37 04 9F 4E 14 BF 0C 17 9F 4D 02 14 00 42 03 46 50 98 5F 55 02 55 53 9F 5A 05 11 08 40 08 40 50 0A 56 49 53 41 20 44 45 42 49 54 90 00
80 A8 00 00 37 83 35 F6 20 C0 00 00 00 00 00 00 01 00 00 00 00 00 00 08 40 00 00 00 00 00 08 40 18 02 10 00 AD 0F CE 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 //Terminal(phone) Get Processing Options 
77 5C 82 02 00 40 9F 36 02 00 09 9F 26 08 15 83 BD AB 09 42 18 88 9F 10 20 1F 4A 04 00 20 00 00 00 00 10 07 70 56 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9F 6C 02 00 00 57 13 XX XX D2 40 32 01 00 00 00 06 77 99 9F 9F 6E 04 24 88 00 00 9F 27 01 80 90 00
80 CA 9F 4F 00 //Get log format
9F 4F 16 9F 36 02 9F 27 01 9F 02 06 9F 03 06 5F 2A 02 9A 03 9C 01 9F 4E 14 90 00
80 CA 9F 17 00 //read PIN try counter
69 86
80 CA 9F 36 00
9F 36 02 00 09 90 00