Get the latest BitBoxApp here: https://shiftcrypto.ch/download
What started as a military installation in 1943, is now a comfortable alpine hut open in summer and winter. Imagine this: the Maighelshütte was sold to the Swiss Alpine Club in 1968, for a total of 50 Swiss Francs. We can’t blame this on inflation, though.
The BitBox02 hardware wallet is a security device. This is why we encourage independent audits and are upfront with issues found and fixed.
On January 4th, 2022, we identified a potential vulnerability in the BitBox02. If someone with a decent level of software engineering skills would target you specifically, and would have been able to...
- store a compromised backup on your microSD card before you set up the BitBox02,
- and make sure you run an unofficial and malicious version of the BitBoxApp,
...then they could make it seem like the setup wizard is creating a new wallet while restoring the compromised backup in the background.
The update released today fixes this issue and eliminates this attack scenario completely for initializing the BitBox02 going forward. The BitBox02 now clearly asks you to confirm on the device screen if you want to restore a wallet from a backup.
This is a theoretical attack scenario. We have identified this issue ourselves, there are no reports of lost funds, and we did not find any evidence that the vulnerability was exploited.
What should I do to stay safe?
If you are sure that you downloaded the official BitBoxApp, and nobody tampered with your microSD card, you don’t need to do anything. Also, if you still know that your wallet name was displayed on BitBox02 during setup, there is nothing else to do.
To be sure, simply check your backup name: the wallet name you gave during setup is the same name as your backup. Put the microSD card into your BitBox02, go to “Manage backups” in the BitBoxApp, and click on “Check backup” to display the backup name on your BitBox02. If you recognize the name, this means the backup is yours. A potential attacker would not be able to change the backup name to the one you entered during the wallet setup.
In case you’re still not quite sure, please contact us at [email protected].
Road to Bitcoin Taproot
With this release, you’ll be able to send your bitcoin to taproot addresses. This is the first step towards full Taproot support, and we plan to enable receiving to taproot addresses (which of course includes sending these coins again by signing with taproot) in the next release. While it pains us to see how far behind some of the biggest (custodial) players in the crypto ecosystem are (e.g., still no support to send to Segwit addresses after more than two years), it’s great to see how quickly non-custodial Bitcoin tools enabled Taproot as new technology. Open-source and self-custody FTW!
The BitBox02 offers the full feature-set needed for Ethereum Defi: use the BitBoxApp to hold ETH securely, connect the BitBox02 to MyEtherwallet to transact in Ethereum and all ERC-20 token as a power user, and interact with Defi platforms and smart contracts with the BitBox02 and Rabby (a feature-rich and fully compatible Metamask fork).
This release adds many additional ERC-20 tokens to the BitBox02 firmware so that the contract address is verified, the proper token name is shown on the device, and the proper denomination is used. We also increased the transaction size limit to accommodate OpenSea transactions.
While tokens on the Cardano are not yet widely used, we want to make sure that BitBox02 users get the full functionality. After adding support for Cardano and its native currency ADA in the last release, we now add full Cardano token support in the BitBox02 firmware.
Support for Cardano tokens will be available on the AdaLite wallet soon: then you'll be able to manage your ADA and Cardano tokens directly from your BitBox02.
…and many little things
Now you can display the NgU fiat value of your wallet in Norwegian krone (NOK), thanks to one of our users who contributed the full code (which we thoroughly vetted, of course). The BitBoxApp is now fully translated to Dutch. And we squashed a small bug that prevented the direct opening of the exported transaction list CSV.
The list in "Connect your own full node" settings currently fails to display server names. This is only a UI issue; the app establishes connections correctly on the backend. We will resolve this shortly in the next patch release.
How can I stay up-to-date?
We encourage you to sign up to the BitBox news to stay up to date with our latest news, including release notes and bug fixes.
Thank you for being part of the BitBox family!
-- The Shift Team
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.