This update includes bug fixes, important security patches, and a new feature. We recommend that you update to the latest desktop app and firmware when you next use your BitBox.
What’s new: desktop notifications
We have implemented a feature that many of you have requested: the desktop app now sends a notification when you receive coins. Please continue to send us your suggestions. Thank you.
Details about the fixes and security patches
We describe three separate issues below.
- MyEtherWallet on Chrome browser
If you use our MyEtherWallet web app integration, then you couldn’t log in with your BitBox when using the latest Chrome browser version 72.0.3626.119. The BitBox integration makes use of the Universal 2nd Factor (U2F) protocol for communication with MyEtherWallet in order to take advantage of the protocol’s anti-phishing and plug-n-play properties. The latest Chrome browser modified a parameter in the U2F protocol that affected this communication. We adjusted the integration to make use of a different U2F parameter that preserves the anti-phishing and plug-n-play properties while also remaining stable over time according the published U2F standard.
- MyEtherWallet new URL
The MyEtherWallet web app has a new design. The previous version of the MyEtherWallet web app was moved to a new URL at https://vintage.myetherwallet.com, and the new URL wasn’t accessible to BitBox users. Our new firmware release allows you to choose which version of MyEtherWallet you wish to use.
- Receive addresses on the BitBox Mobile Verification App
Our internal security team discovered an issue in how the desktop app relays receive addresses to the mobile verification app. Please note that this issue poses no risk to your existing coins but if an attacker successfully compromised your computer they could trick you into “locking” new coins sent to you and subsequently demand a ransom in exchange for “unlocking” them. We have received no vulnerability exploitation reports to date.
Previously, any requested receive address could be viewed using the mobile verification app. As the range of possible receive addresses for any given wallet is nearly as high as the number of atoms in the universe, it’s important to restrict which addresses can receive coins. Here’s a technical report by a researcher, who independently came across the same issue. This firmware update limits the range of receive addresses that can be sent to the mobile app for verification and provides a warning notice to developers for “non-standard” receive addresses.
What should I do to stay safe?
We recommend that you always use the latest desktop app (4.5.0) which you can download here: https://shiftcrypto.ch/start.
The desktop app has the latest firmware 6.0.2 embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox. If you want to verify your backups prior to updating then please follow our BitBox Backup Verification Guide.
We highly recommend that you pair your BitBox with your mobile phone in the device settings. You can then use the mobile verification app to verify that the receive address matches the receive address displayed in the desktop app. This verification provides an additional layer of security.
How can I stay up-to-date?
The easiest way to stay up-to-date is via our desktop app. After startup the desktop app provides notifications about code updates. Download the latest version here: https://shiftcrypto.ch/start
In addition, we host a security announce mailing list to help you stay up to date with the latest security news from Shift, including release notes and bug fixes. You can sign up here: https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe.
As always, you can also contact us at email@example.com if you have further questions.
Thank you for your continued support.
The Shift Cryptosecurity Team