This update includes an important security patch in the firmware. We recommend that you update to the latest desktop app and firmware before you next use your BitBox01.
On 12 April 2019, Saleem Rashid responsibly disclosed to us through our bug bounty program two vulnerabilities regarding the blinking patterns of the BitBox01. The update released on 13 June 2019 patches these vulnerabilities and we strongly encourage all users to update to the latest desktop app and BitBox01 firmware. We have no reports of lost funds and have found no evidence that the vulnerabilities were exploited. We would like to thank Saleem Rashid for his continued support in improving the security of our products.
Am I at risk?
If you paired your BitBox01 with your mobile using our verification app, then you may be affected by the reported vulnerabilities.
If you are not using the mobile verification app to verify your transactions before signing, we encourage you to do so.
What should I do to stay safe?
Be sure to always use the latest desktop app and firmware. You can download the latest desktop app 4.9.0 here: https://shiftcrypto.ch/start.
The desktop app has the latest BitBox01 firmware 6.1.1 embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox01. Prior to updating, you can optionally verify your backups by following our BitBox Backup Verification Guide.
After you have updated the firmware, you should pair your mobile with your BitBox01 again.
The new firmware better differentiates the blinking patterns of the BitBox01. Please have a look at shiftcrypto.ch/bitbox01/blinking-patterns to see what the various patterns indicate. Since a compromised app could trick you into performing a different action than you expect, it is important to understand what you are confirming when touching the BitBox01. Thus, we recommend that you print out this page and store the sheet together with your BitBox01.
On 16 April 2019, it was reported to us that the BitBox01 firmware refused to sign multisig transactions in Electrum. The issue occurred following the firmware update 6.0.3. We fixed the issue with the firmware 6.0.4 and released it together with the desktop app 4.7.0 as a silent update on 10 May 2019. This fix is included in firmware 6.1.1 as well.
How can I stay up-to-date?
We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from SHIFT, including release notes and bug fixes, by following this link: https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe.
As always, please do not hesitate to contact us at firstname.lastname@example.org if you have any questions.
Thank you for your continued support.
The Shift Cryptosecurity Team