This update patches safety vulnerabilities in the BitBox Hardware wallet. We strongly inspire all clients to replace to the newest computer app and BitBox firmware.
what is the current safety repute?
Christian Reitter, in coordination with Dr. Jochen Hoenicke, responsibly disclosed to us the U2FHID_INIT_RESP information leak vulnerability. all over the preliminary handshake of the U2F protocol, 3 bytes of statistics stored in gadget RAM are leaked. The facts potentially could include delicate suggestions, besides the fact that children we found no obvious option to exploit the vulnerability to do so in our case. we've released patches to repair considerations. We don't have any stories of misplaced money and have discovered no facts that an argument became exploited.
What should still I do to stay protected?
be certain to at all times use the newest computing device app and firmware. that you may down load the newest desktop app v4.4.0 here:
https://shiftcrypto.ch/start
The computing device app has the latest firmware (v6.0.0) embedded inner. The computing device app will ebook you during the technique of a way to set up the firmware on the BitBox. earlier than upgrading, you can optionally assess your Backups by way of following our BitBox Backup Verification e book.
After the replace, in case you paired your mobile phone with the BitBox but don't seem to be the use of "Full 2FA" mode, one further step is quintessential. Please re-pair your cellphone with the BitBox with the aid of clicking on 'Reconnect cellular App' button below 'control device' in the computing device app. if you have not yet paired a cellular phone, or are already the usage of "Full 2FA" no further motion is required.
The update now enforces transactions to be despatched to the cellular app, if the mobile app has been paired to the BitBox. (Ethereum-primarily based transactions, for instance via the MyEtherWallet integration, are not supported on the cell app yet and are excluded.) if you're the use of a client app other than the legit BitBox app or MyEtherWallet, please contact us for extra details. note that until full 2FA mode is lively, you all the time have the option to re-pair along with your mobile phone, or to a new cell, by using clicking on 'Pair cell App' under 'manipulate equipment' in the desktop app.
How can i dwell up to date?
Notifications about code updates are offered through the computing device app after startup. you could always download the latest version of the computer app right here:
https://shiftcrypto.ch/start
We encourage you to check in to the protection announce mailing list to reside up up to now with the latest security news from Shift, including unencumber notes and malicious program fixes, with the aid of following this link:
https://organizations.google.com/a/shiftcrypto.ch/neighborhood/security-announce/subscribe
through our BitBox worm Bounty software, we work with impartial researchers to assist find and repair bugs suggested to us. We thank Christian Reitter for coordinating his in charge disclosure with us and other affected tasks together with his excessive diploma of professionalism and guide during the process.
As at all times, please don't hesitate to contact us at aid@shiftcrypto.ch when you have questions.
thanks on your persisted support.
The Shift Cryptosecurity group
No comments: