BitBox Desktop App 4.9.0 with BitBox01 Firmware 6.1.1 Release

Shift Crypto
Jun 14, 2019 · 2 min read

This update includes an important security patch in the firmware. We recommend that you update to the latest desktop app and firmware before you next use your BitBox01.

Image for post
Image for post

What happened?

On 12 April 2019, Saleem Rashid responsibly disclosed to us through our bug bounty program two vulnerabilities regarding the blinking patterns of the BitBox01. The update released on 13 June 2019 patches these vulnerabilities and we strongly encourage all users to update to the latest desktop app and BitBox01 firmware. We have no reports of lost funds and have found no evidence that the vulnerabilities were exploited. We would like to thank Saleem Rashid for his continued support in improving the security of our products.

Am I at risk?

If you paired your BitBox01 with your mobile using our verification app, then you may be affected by the reported vulnerabilities.

If you are not using the mobile verification app to verify your transactions before signing, we encourage you to do so.

What should I do to stay safe?

Be sure to always use the latest desktop app and firmware. You can download the latest desktop app 4.9.0 here: https://shiftcrypto.ch/start.

The desktop app has the latest BitBox01 firmware 6.1.1 embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox01. Prior to updating, you can optionally verify your backups by following our BitBox Backup Verification Guide.

After you have updated the firmware, you should pair your mobile with your BitBox01 again.

The new firmware better differentiates the blinking patterns of the BitBox01. Please have a look at shiftcrypto.ch/bitbox01/blinking-patterns to see what the various patterns indicate. Since a compromised app could trick you into performing a different action than you expect, it is important to understand what you are confirming when touching the BitBox01. Thus, we recommend that you print out this page and store the sheet together with your BitBox01.

Other changes

On 16 April 2019, it was reported to us that the BitBox01 firmware refused to sign multisig transactions in Electrum. The issue occurred following the firmware update 6.0.3. We fixed the issue with the firmware 6.0.4 and released it together with the desktop app 4.7.0 as a silent update on 10 May 2019. This fix is included in firmware 6.1.1 as well.

How can I stay up-to-date?

We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from SHIFT, including release notes and bug fixes, by following this link: https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe.

As always, please do not hesitate to contact us at support@shiftcrypto.ch if you have any questions.

Thank you for your continued support.

The Shift Cryptosecurity Team

ShiftCrypto

Shift Crypto

Written by

Swiss made BitBox02 hardware wallet & BitBoxApp. Manage your crypto assets with ease.

ShiftCrypto

Swiss made hardware wallet BitBox02. Get yours: https://shiftcrypto.shop

Shift Crypto

Written by

Swiss made BitBox02 hardware wallet & BitBoxApp. Manage your crypto assets with ease.

ShiftCrypto

Swiss made hardware wallet BitBox02. Get yours: https://shiftcrypto.shop

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store