Published in


BitBox Desktop App 4.9.0 with BitBox01 Firmware 6.1.1 Release

This update includes an important security patch in the firmware. We recommend that you update to the latest desktop app and firmware before you next use your BitBox01.

What happened?

On 12 April 2019, Saleem Rashid responsibly disclosed to us through our bug bounty program two vulnerabilities regarding the blinking patterns of the BitBox01. The update released on 13 June 2019 patches these vulnerabilities and we strongly encourage all users to update to the latest desktop app and BitBox01 firmware. We have no reports of lost funds and have found no evidence that the vulnerabilities were exploited. We would like to thank Saleem Rashid for his continued support in improving the security of our products.

Am I at risk?

If you paired your BitBox01 with your mobile using our verification app, then you may be affected by the reported vulnerabilities.

If you are not using the mobile verification app to verify your transactions before signing, we encourage you to do so.

What should I do to stay safe?

Be sure to always use the latest desktop app and firmware. You can download the latest desktop app 4.9.0 here:

The desktop app has the latest BitBox01 firmware 6.1.1 embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox01. Prior to updating, you can optionally verify your backups by following our BitBox Backup Verification Guide.

After you have updated the firmware, you should pair your mobile with your BitBox01 again.

The new firmware better differentiates the blinking patterns of the BitBox01. Please have a look at to see what the various patterns indicate. Since a compromised app could trick you into performing a different action than you expect, it is important to understand what you are confirming when touching the BitBox01. Thus, we recommend that you print out this page and store the sheet together with your BitBox01.

Other changes

On 16 April 2019, it was reported to us that the BitBox01 firmware refused to sign multisig transactions in Electrum. The issue occurred following the firmware update 6.0.3. We fixed the issue with the firmware 6.0.4 and released it together with the desktop app 4.7.0 as a silent update on 10 May 2019. This fix is included in firmware 6.1.1 as well.

How can I stay up-to-date?

We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from SHIFT, including release notes and bug fixes, by following this link:

As always, please do not hesitate to contact us at if you have any questions.

Thank you for your continued support.

The Shift Cryptosecurity Team



Shift Crypto is based in Zurich, Switzerland. We build products that enable you to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02 hardware wallet lets you store, protect and transact Bitcoin and other cryptocurrencies with ease

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shift Crypto

Shift Crypto


Swiss made BitBox02 hardware wallet & BitBoxApp. Manage your crypto assets with ease.