ShiftCrypto
Published in

ShiftCrypto

Important security news about version 4.4.0 upgrade

This update patches security vulnerabilities in the BitBox Hardware Wallet. We strongly encourage all users to update to the latest desktop app and BitBox firmware.

What is the current security status?

Christian Reitter, in coordination with Dr. Jochen Hoenicke, responsibly disclosed to us the U2FHID_INIT_RESP information leak vulnerability. During the initial handshake of the U2F protocol, 3 bytes of data stored in device RAM are leaked. The data potentially could contain sensitive information, although we found no obvious way to exploit the vulnerability to do so in our case. We have released patches to fix issues. We have no reports of lost funds and have found no evidence that an issue was exploited.

What should I do to stay safe?

Be sure to always use the latest desktop app and firmware. You can download the latest desktop app v4.4.0 here:

https://shiftcrypto.ch/start

The desktop app has the latest firmware (v6.0.0) embedded inside. The desktop app will guide you through the process of how to install the firmware on the BitBox. Prior to upgrading, you can optionally verify your Backups by following our BitBox Backup Verification Guide.

After the update, if you paired your mobile phone with the BitBox but are not using “Full 2FA” mode, one additional step is necessary. Please re-pair your mobile phone with the BitBox by clicking on ‘Reconnect Mobile App’ button under ‘Manage Device’ in the desktop app. If you have not yet paired a mobile phone, or are already using “Full 2FA” no further action is required.

The update now enforces transactions to be sent to the mobile app, if the mobile app has been paired to the BitBox. (Ethereum-based transactions, for example via the MyEtherWallet integration, are not supported on the mobile app yet and are excluded.) If you are using a client app other than the official BitBox app or MyEtherWallet, please contact us for more details. Note that unless full 2FA mode is active, you always have the option to re-pair with your mobile phone, or to a new mobile phone, by clicking on ‘Pair Mobile App’ under ‘Manage Device’ in the desktop app.

How can I stay updated?

Notifications about code updates are provided by the desktop app after startup. You can always download the latest version of the desktop app here:

https://shiftcrypto.ch/start

We encourage you to sign up to the security announce mailing list to stay up to date with the latest security news from Shift, including release notes and bug fixes, by following this link:

https://groups.google.com/a/shiftcrypto.ch/group/security-announce/subscribe

Through our BitBox Bug Bounty Program, we work with independent researchers to help find and fix bugs reported to us. We thank Christian Reitter for coordinating his responsible disclosure with us and other affected projects along with his high degree of professionalism and support through the process.

As always, please do not hesitate to contact us at support@shiftcrypto.ch if you have questions.

Thank you for your continued support.

The Shift Cryptosecurity Team

Shift Crypto is based in Zurich, Switzerland. We build products that enable you to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02 hardware wallet lets you store, protect and transact Bitcoin and other cryptocurrencies with ease

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shift Crypto

Shift Crypto

Swiss made BitBox02 hardware wallet & BitBoxApp. Manage your crypto assets with ease.

More from Medium

🤝Cudos partners with blocz IO to drive decentralised compute adoption☁

Clearpool Successfully Completes Audits with CertiK & Pessimistic

ETHA Weekly Update #44 — Smart Contracts, Tokenomics V2, and More!

Akropolis Collaborates with Clover Finance To Accelerate Multi-chain Expansion in the Future of…