Important security news about version 4.4.0 upgrade

Shift Crypto
Jan 18, 2019 · 3 min read
Image for post
Image for post

This update patches security vulnerabilities in the BitBox Hardware Wallet. We strongly encourage all users to update to the latest desktop app and BitBox firmware.

What is the current security status?

Christian Reitter, in coordination with Dr. Jochen Hoenicke, responsibly disclosed to us the U2FHID_INIT_RESP information leak vulnerability. During the initial handshake of the U2F protocol, 3 bytes of data stored in device RAM are leaked. The data potentially could contain sensitive information, although we found no obvious way to exploit the vulnerability to do so in our case. We have released patches to fix issues. We have no reports of lost funds and have found no evidence that an issue was exploited.

What should I do to stay safe?

Be sure to always use the latest desktop app and firmware. You can download the latest desktop app v4.4.0 here:

https://shiftcrypto.ch/start

The desktop app has the latest firmware (v6.0.0) embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox. Prior to upgrading, you can optionally verify your Backups by following our BitBox Backup Verification Guide.

After the update, if you paired your mobile phone with the BitBox but are not using “Full 2FA” mode, one additional step is necessary. Please re-pair your mobile phone with the BitBox by clicking on ‘Reconnect Mobile App’ button under ‘Manage Device’ in the desktop app. If you have not yet paired a mobile phone, or are already using “Full 2FA” no further action is required.

The update now enforces transactions to be sent to the mobile app, if the mobile app has been paired to the BitBox. (Ethereum-based transactions, for example via the MyEtherWallet integration, are not supported on the mobile app yet and are excluded.) If you are using a client app other than the official BitBox app or MyEtherWallet, please contact us for more details. Note that unless full 2FA mode is active, you always have the option to re-pair with your mobile phone, or to a new mobile phone, by clicking on ‘Pair Mobile App’ under ‘Manage Device’ in the desktop app.

How can I stay updated?

Notifications about code updates are provided by the desktop app after startup. You can always download the latest version of the desktop app here:

https://shiftcrypto.ch/start

We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from Shift, including release notes and bug fixes, by following this link:

https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe

Through our BitBox Bug Bounty Program, we work with independent researchers to help find and fix bugs reported to us. We thank Christian Reitter for coordinating his responsible disclosure with us and other affected projects along with his high degree of professionalism and support through the process.

As always, please do not hesitate to contact us at support@shiftcrypto.ch if you have questions.

Thank you for your continued support.

The Shift Cryptosecurity Team

ShiftCrypto

Swiss made hardware wallet BitBox02. Get yours: https://shiftcrypto.shop

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store