This update includes an important security patch for the BitBox01, as well as new features in the BitBoxApp and BitBox02. We strongly encourage you to update to the latest desktop app and firmware before you next use your BitBox01.
Update: Due to an issue with the BitBox02 Bitcoin-only edition on Windows, we had to re-release its firmware as 4.2.2 with a new app version 4.14.1.
BitBox01: What happened?
On 17 September 2019, Saleem Rashid responsibly disclosed to us through our bug bounty program two vulnerabilities affecting the mobile pairing of the BitBox01. The update released today patches these vulnerabilities and we strongly encourage all BitBox01 users to update to the latest desktop app and BitBox01 firmware. In addition, make sure that the mobile verification app is up to date on your phone. We released a new version on 18 October 2019 to the Apple App Store and Google Play Store. We have no reports of lost funds and have found no evidence that the vulnerabilities were exploited. We would like to thank Saleem Rashid for his continued support in improving the security of our products.
BitBox01: Am I at risk?
If you paired your BitBox01 with your mobile phone using our verification app, then you are affected by the reported vulnerabilities. If you are not using the mobile verification app to verify your transactions before signing or your receive address before receiving, we encourage you to do so. Alternatively, you can purchase a BitBox02, which has a screen included.
BitBox01: What should I do to stay safe?
Be sure to always use the latest desktop app and firmware. You can download the latest BitBoxApp 4.14.0 here: https://shiftcrypto.ch/start.
The desktop app has the latest BitBox01 firmware 7.0.3 embedded inside. The desktop app will guide you through the process of how to install the firmware on your BitBox01. Prior to updating, you can optionally verify your backups by following our BitBox01 backup verification guide.
After you have updated the firmware, you should pair your smartphone with your BitBox01 again.
BitBoxApp: Tor support
The BitBoxApp now supports Tor by connecting to a SOCKS proxy. Please only enable this option if you have Tor installed locally. Otherwise the app will not be able to load the accounts and fetch the fiat rates. If you run into problems, please contact firstname.lastname@example.org.
BitBox02: Special characters
The BitBox02 firmware — for both editions, Multi and Bitcoin-only — supports special characters in the optional passphrase entry screen. This feature improves interoperability with wallets from other vendors. We also refined the sensitivity of the touch sensors for both editions. Let us know whether you like the change in case you notice it.
How can I stay up-to-date?
We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from Shift, including release notes and bug fixes, by following this link: https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe.
As always, please do not hesitate to contact us at email@example.com if you have any questions.
Thank you for your continued support.
The Shift Cryptosecurity Team