Fuze Card : Updates coming up on 19th April

The new version of Mobile app and OTA firmware will be released on 19th April, 2018. The lastest version 1.1 will be safer and more secure, with the new security measures and safeguards put in place to resolve the recently raised issues.

Recently, an independent researcher, Mike Ryan of ICE9, raised a question surrounding the customer’s high-level security information. Please note that we were already on notice of this issue in late January as another independent source, Mike Pritchard of ELTTAM (Australian security consulting firm) contacted out Company. As soon as out development/security team received the notice from ELTTAM, out responsible team have been working very diligently to analyze the issues with the goal to increase safety and security features of the product and improve the overall product. As to the recent concerns that were raised, we would like to apologize to our Fuze community and the public at large.

Briefly, we have analyzed the issues and have already come up with the action plan and resolution in place that directly addresses the issues. The Mobile app and OTA firmware will be updated with the additional security features in the upcoming new version.

For more details, you can find out action plan and response status of the issues raised by ELTTAM.

LIST Potential Security issue brought ELTTAM Progress on FuzeCard
1 • Any device may pair with the Fuze card. And once paired. Has complete access to contained data bypassing security provided by the application and bypassing all Fuze card security features, through direct use of the Fuze card’s advertised BLE service.

• Transmitting only 8 card numbers out of whole 16 numbers. Sensitive Data which may cause a security problem is not sent to APP. (19th April)

• Since Bluetooth is not activated prior to unlocking of passcode. Passcode unlock cannot be hacked by Bluetooth hacking. (30th April)

• Enhanced security through Data Encryption and Mutual Authentication when APP and CARD are synchronized via Bluetooth. (30th April)

2 • Similar to the previous issue, Android eCard Manager activities may be started by a privileged phone user, such as MainActivity —> ManualScanActivity —> CardSyncActivity, to bypass user authentication. • Completed (App update : 28th March)
3 • Older versions of Android OS prior to 4.1 allow applications to read the Android log, potentially exposing this information to malware. • Completed (App update : 28th March)
4 • Android backup is enabled for the eCard Manager application which may store eCard Manager data on the user’s Google Drive. • Completed (App update : 28th March)
5 • The Android eCard Manager application parses it’s Play Store web page to determine the current version. If an attacker can enter the string ‘softwareVersion”>’within the Play Store page, such as through a review comments which appear prior to the version number, they may have the ability to inject their own value into the application. • Completed (App update : 28th March)

Once again, we would like to ask for your kind understanding on the recent issues that were raised, and we would like to emphasize that our team is deeply committed in providing the most secure and reliable product that the public can trust and rely on. We will continue to do our best to prevent and mitigate any security concerns.

If you have any security related questions or concerns, please contact us at security@fuzecard.com. Our team will provide answers to such inquiries as timely as possible and to the best of our knowledge.


If you have any security related suggestions, please follow the below guidelines:

- Do not disclose your questions, concerns or suggestions of our product to a third party without our consent.

- Do not conduct any actual testing or simulation on the actual product (e.g., attacking other users, etc.) for the sake of proving your point.

Please send us an email at security@fuzecard.com explaining and detailing the security concerns of out product. As always, your comments are sincerely appreciated, and any possible risk will be scrutinized and eliminated as quickly as possible

Fuze Card : Updates coming up on 19th April

The new version of Mobile app and OTA firmware will be released on 19th April, 2018. The lastest version 1.1 will be safer and more secure, with the new security measures and safeguards put in place to resolve the recently raised issues.

Recently, an independent researcher, Mike Ryan of ICE9, raised a question surrounding the customer’s high-level security information. Please note that we were already on notice of this issue in late January as another independent source, Mike Pritchard of ELTTAM (Australian security consulting firm) contacted out Company. As soon as out development/security team received the notice from ELTTAM, out responsible team have been working very diligently to analyze the issues with the goal to increase safety and security features of the product and improve the overall product. As to the recent concerns that were raised, we would like to apologize to our Fuze community and the public at large.

Briefly, we have analyzed the issues and have already come up with the action plan and resolution in place that directly addresses the issues. The Mobile app and OTA firmware will be updated with the additional security features in the upcoming new version.

For more details, you can find out action plan and response status of the issues raised by ELTTAM.

LIST Potential Security issue brought ELTTAM Progress on FuzeCard
1 • Any device may pair with the Fuze card. And once paired. Has complete access to contained data bypassing security provided by the application and bypassing all Fuze card security features, through direct use of the Fuze card’s advertised BLE service.

• Transmitting only 8 card numbers out of whole 16 numbers. Sensitive Data which may cause a security problem is not sent to APP. (19th April)

• Since Bluetooth is not activated prior to unlocking of passcode. Passcode unlock cannot be hacked by Bluetooth hacking. (30th April)

• Enhanced security through Data Encryption and Mutual Authentication when APP and CARD are synchronized via Bluetooth. (30th April)

2 • Similar to the previous issue, Android eCard Manager activities may be started by a privileged phone user, such as MainActivity —> ManualScanActivity —> CardSyncActivity, to bypass user authentication. • Completed (App update : 28th March)
3 • Older versions of Android OS prior to 4.1 allow applications to read the Android log, potentially exposing this information to malware. • Completed (App update : 28th March)
4 • Android backup is enabled for the eCard Manager application which may store eCard Manager data on the user’s Google Drive. • Completed (App update : 28th March)
5 • The Android eCard Manager application parses it’s Play Store web page to determine the current version. If an attacker can enter the string ‘softwareVersion”>’within the Play Store page, such as through a review comments which appear prior to the version number, they may have the ability to inject their own value into the application. • Completed (App update : 28th March)

Once again, we would like to ask for your kind understanding on the recent issues that were raised, and we would like to emphasize that our team is deeply committed in providing the most secure and reliable product that the public can trust and rely on. We will continue to do our best to prevent and mitigate any security concerns.

If you have any security related questions or concerns, please contact us at security@fuzecard.com. Our team will provide answers to such inquiries as timely as possible and to the best of our knowledge.


If you have any security related suggestions, please follow the below guidelines:

- Do not disclose your questions, concerns or suggestions of our product to a third party without our consent.

- Do not conduct any actual testing or simulation on the actual product (e.g., attacking other users, etc.) for the sake of proving your point.

Please send us an email at security@fuzecard.com explaining and detailing the security concerns of out product. As always, your comments are sincerely appreciated, and any possible risk will be scrutinized and eliminated as quickly as possible