This update patches security vulnerabilities in the BitBox Hardware Wallet. We strongly encourage all users to update to the latest desktop app and BitBox firmware.
What is the current security status?
Christian Reitter, in coordination with Dr. Jochen Hoenicke, responsibly disclosed to us the U2FHID_INIT_RESP information leak vulnerability. During the initial handshake of the U2F protocol, 3 bytes of data stored in device RAM are leaked. The data potentially could contain sensitive information, although we found no obvious way to exploit the vulnerability to do so in our case. We have released patches to fix issues. We have no reports of lost funds and have found no evidence that an issue was exploited.
What should I do to stay safe?
Be sure to always use the latest desktop app and firmware. You can download the latest desktop app v4.4.0 here:
The desktop app has the latest firmware (v6.0.0) embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox. Prior to upgrading, you can optionally verify your Backups by following our BitBox Backup Verification Guide.
After the update, if you paired your mobile phone with the BitBox but are not using “Full 2FA” mode, one additional step is necessary. Please re-pair your mobile phone with the BitBox by clicking on ‘Reconnect Mobile App’ button under ‘Manage Device’ in the desktop app. If you have not yet paired a mobile phone, or are already using “Full 2FA” no further action is required.
The update now enforces transactions to be sent to the mobile app, if the mobile app has been paired to the BitBox. (Ethereum-based transactions, for example via the MyEtherWallet integration, are not supported on the mobile app yet and are excluded.) If you are using a client app other than the official BitBox app or MyEtherWallet, please contact us for more details. Note that unless full 2FA mode is active, you always have the option to re-pair with your mobile phone, or to a new mobile phone, by clicking on ‘Pair Mobile App’ under ‘Manage Device’ in the desktop app.
How can I stay updated?
Notifications about code updates are provided by the desktop app after startup. You can always download the latest version of the desktop app here:
We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from Shift, including release notes and bug fixes, by following this link:
Through our BitBox Bug Bounty Program, we work with independent researchers to help find and fix bugs reported to us. We thank Christian Reitter for coordinating his responsible disclosure with us and other affected projects along with his high degree of professionalism and support through the process.
As always, please do not hesitate to contact us at firstname.lastname@example.org if you have questions.
Thank you for your continued support.
The Shift Cryptosecurity Team