This update includes an important security patch in the firmware and new features in the desktop app. We recommend that you update to the latest desktop app and firmware before you next use your BitBox.
What’s new: QR code scanning and Portuguese translation
Another feature that many of you have requested is finally here: you can now scan a QR code to populate the receive address and the amount in the send screen.
We are continuously working on language support for our desktop app and Portuguese is the latest addition, after English, German, Japanese, Malay and Russian.
Please continue to send us your suggestions and requests. Thank you!
Details about the security patch
In our release on 8 Mar 2019 we addressed an issue with non-standard keypaths for the receive address. The firmware 6.0.3 update fixes a similar issue with regard to change addresses. This issue poses no risk to your existing coins but if an attacker successfully compromised your computer they could trick you into “locking” the change of an outgoing transaction and subsequently demand a ransom in exchange for “unlocking” it. To date we have no reports of this vulnerability being exploited.
In the case of Bitcoin and Litecoin, the coins in your account typically don’t add up precisely to the amount you want to send, so the app sends the change of the transaction back to your own account. In so-called hierarchical deterministic wallets all keys are derived from a single seed, which the BitBox needs to back-up on the microSD card one time when you first create a new wallet. When a transaction is made, the desktop app determines to which derived key the change is sent. An attacker who successfully compromised your computer could make you lose your change by choosing an arbitrary derivation path unknown to you. This is due to the range of potential keys, which is too vast to be searched thoroughly when recovering a wallet from a backup.
Additional details on the issue are available in our recent security-announce post.
What should I do to stay safe?
We recommend that you always use the latest desktop app (4.6.0) which you can download here: https://shiftcrypto.ch/start.
The desktop app has the latest firmware 6.0.3 embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox. If you want to verify your backups prior to updating, then please follow our BitBox Backup Verification Guide.
We highly recommend that you pair your BitBox with your mobile phone in the device settings. The mobile verification app automatically verifies that the change of a transaction is indeed sent back to your account. By visually verifying that the recipient and the amount of the transaction match with the data displayed in the desktop app, you make sure that the transaction reaches the intended recipient.
How can I stay up-to-date?
The easiest way to stay up-to-date is via our desktop app. After startup, the desktop app displays a message if there is a newer version available.
In addition, we host a security announce mailing list to help you stay up to date with the latest security news from Shift, including release notes and bug fixes. You can sign up here: https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe.
As always, you can also contact us at email@example.com if you have further questions.
Thank you for your continued support.
The Shift Cryptosecurity Team