Security on every level

BitBox02 X-Ray

BitBox hardware wallets began in 2015, and every enhancement and security improvement has led to the BitBox02 available today. The BitBox02's hardware and software were built from the ground up, prioritizing security, with multiple external security teams reviewing its design and implementation.
All of our products are Swiss made and developed by our team of Bitcoin and crypto experts. You can help protect your financial sovereignty with the security features listed below.

Security features

Firmware & software security

Dual chip security architecture

A miniature computer (aka a microcontroller chip) inside the BitBox02 allows running open-source security code that is available from high-quality publicly-vetted repositories. A separate secure chip, the ATECC608B hardens access to your wallet in multiple ways. We pioneered the "dual chip" security concept in the original BitBox. Learn more about how it works in the BitBox02 by reading this blog article.

Read about the dual chip security architecture

Wallet seed storage

Three secrets are needed to access the encrypted wallet seed stored on the microcontroller. For a thief to gain access to a wallet, they must get all these pieces of data: a random secret on the secure chip, a random secret on the microcontroller, and a random secret not on the device - your device password. The secure chip mitigates against a thief brute forcing (aka guessing many times) a simple password. Learn more by reading the blog post mentioned above.

As an additional line of defense, the wallet seed is kept encrypted in RAM while the device is in use. It is only decrypted temporarily as needed, e.g. to sign a transaction, which reduces the attack surface and mitigates against potential attacks where the RAM could be accessed by an attacker. Read our blog post to learn more about this feature.

Open-source

Hide nothing by open sourcing everything, including the firmware on the BitBox02, the BitBoxApp, and x rays of the hardware, schematics.

Secure bootloader

The BitBox02 accepts only firmware signed by Shift Crypto. The bootloader prevents firmware downgrades and installing firmware for a different edition of the BitBox02 (Multi or Bitcoin-only). The bootloader can also display the hash of the firmware before running it for binary transparency.

Device authenticity check

Each BitBox02 is loaded with a secret attestation key during factory setup. This means the BitBoxApp or any wallet it connects to can check if the BitBox02 is a genuine device every time you use it.

Wallet seed generation

To add redundancy and failsafes, the BitBox02 uses five sources of randomness (aka entropy) to generate the wallet seed instead of a single source. Each source is cryptographically combined such that the overall entropy is at least as strong as the strongest of all, not the weakest of all. This mitigates against attacks even when four of the sources are compromised. The entropy sources are:

  1. A true random number generator on the secure chip
  2. A true random number generator on the microcontroller
  3. A static random number set during factory installation and unique to each BitBox02
  4. Host entropy provided by the app running on your computer, e.g. from /dev/urandom
  5. A cryptographic hash of the device password

The latter two are completely independent of the BitBox02.

Reproducible builds

Don't trust, verify! The BitBox02 firmware is reproducible, meaning anyone can compile the open-source firmware themselves and verify that the binary is exactly the same as the official release. You can find instructions and more details on how the reproducible builds work on our Github .

We also gather signatures from the community asserting the correctness of our releases.

Contribute and sign the bitbox02-firmware

In addition, the reproducible build is regularly tested by WalletScrutiny, a community project which aims to improve the security of Bitcoin wallets.

Read WalletScrutiny's analysis on reproducing the BitBox02 firmware

Physical protection

Secure display

The BitBox threat model assumes your computer can be compromised and should not be trusted. Therefore, securely verify transactions, receive addresses and other data using the built-in screen and touch confirmation (tap, slide and hold). Enter your password directly on the device instead of in the BitBoxApp.

Secure chip

As a fallback to avoid brute force attacks if the 10-attempt limit imposed by the microcontroller is somehow bypassed by a thief, a monotonic counter in the secure chip limits the total attempts of device-password entries. In addition, password stretching increases the amount of time needed to test each possible password, making such attacks infeasibly difficult.

Epoxy potting

The BitBox02 has a secure chip to protect against invasive attacks aimed at extracting key material. But to make invasive attacks even harder, the microcontroller and secure chip are covered with security grade epoxy, making them harder to access.

Breaking pins

The glue used to attach both halves of the BitBox02 casing is specially chosen to create a permanent bond between the pins of the top casing and the pin holes of the bottom casing. An attempt at separating both halves of the casing will physically break the pins. Two halves can no longer cleanly re-attach, thus making it obvious to the user that the BitBox02 has been opened.

Wallet backup

Instant microSD card backup

Backing up the seed to a microSD card ensures that you won't lose funds by accidentally writing down the wrong words. Furthermore, you do not need to watch out for hidden cameras or wondering eyes watching you set up your wallet.

Instantly verify backup at anytime

This feature promotes people to check their backups more often since it is easy to do. In addition, you can make new backups at any time, either on another microSD card or by viewing the seed words.

View recovery words after setup

In addition to the microSD card backup, you still have the option to display and write down your 24 recovery words after re-entering the device password.

Security audit & bug bounty program

External security audit

The BitBox02 firmware was audited by Census Labs along with consulting done by multiple third-party security firms.

Bug bounty program 🏴‍☠️

We take security reports very seriously: we run a bug bounty program and encourage independent researchers to audit our device and responsibly disclose any findings.

Participate in our bug bounty program

Privacy features

Encrypted USB channel

All USB communication between the BitBox02 and the host computer is encrypted using the noise protocol. Any malware sniffing the USB bus cannot decipher what communication is happening between the host and the BitBox02.

User data not stored on servers

When making a transaction using the BitBox02 and BitBoxApp, no personal identifiable data (such as an IP address) or transaction data is stored on our servers. We offer an option to connect to your own Bitcoin full node such that your financial history can remain private.

How to connect to your own node

Advanced features

Secure multisig/multisig account registration

We found that almost all hardware wallet multisig setups are insecure and are likely vulnerable to remote theft or ransom attacks. The main issue is they either skip over or incorrectly implement xpub verification. We believe the BitBox02 is the only hardware wallet to have correctly implemented multisig safely since the beginning.

Here is a blog post written by one of our engineers on the issues with multisig, how other hardware wallet vendors implemented them insecurely (and are still insecure now) and how the BitBox02 fixes them.

Show firmware hash before boot

This optional feature allows you to verify that you are using the correct firmware every time you plug in the device.

Create your own wallet with your own entropy

An optional feature that lets you create your own seed without the use of the BitBox02 random number generation. For example, a user could roll dice to generate a wallet and then import it into BitBox02. See how in this article .

Anti-klepto

The BitBox02 is the first hardware wallet that offers protection against the nonce covert channel attack, by supporting a protocol called anti-klepto. This attack can leak a private key via malicious transaction signatures. This blog post explains how the BitBox02 protects you against leaking private keys. We wrote the original pull request to the Bitcoin Core repository that made this possible.

Threat model

The BitBox02 security features reduce the attack surface, which means attackers have fewer options to steal your private keys and your coins.

Covering all possible scenarios is not trivial, there are situations where the security threats are harder to define. This is why we've published a threat model, where we explain what the BitBox02 protects your funds against.

Read the BitBox02 threat model