Update available: BitBoxApp 4.19.0 with BitBox02 firmware 8.0.0

[Shift Crypto security-announce mailing list]

TL;DR: Update BitBoxApp to version 4.19.0 bundled with the firmware 8.0.0 at https://shiftcrypto.ch/start. We strongly recommend to verify the release as explained on the GitHub releases page at https://github.com/digitalbitbox/bitbox-wallet-app/releases.

On 5 March 2020, Saleem Rashid responsibly disclosed through a bug bounty program a vulnerability that allows an attacker to trick users into paying excessive fees when sending bitcoins. A malicious software wallet would need to trick the user into signing a bitcoin SegWit transaction twice, for example by faking an error after the first signing and asking the user to try again. By collaborating with a miner, the attacker could potentially gain access to these fees.

This issue affects all major hardware wallets and a joint release date has been coordinated for today, 3 June 2020. This update patches this vulnerability, and we strongly encourage all users to update to the latest BitBoxApp, which will update the BitBox02 firmware. We have no reports of lost funds and have found no evidence that the vulnerability was exploited. We would like to thank Saleem Rashid for his support in improving the security of our products.

Am I at risk?

If you signed a bitcoin transaction on your BitBox02 and confirmed it on the device in the past, but then you received an error message of some kind on your computer and then signed the same transaction again, an attacker could have created a bitcoin transaction with excessive fees.

More details about this release are available in a blog post at https://medium.com/shiftcrypto/bitbox-app-firmware-update-6-2020-c70f733a5330.

If you have questions, as always feel free to contact sup...@shiftcrypto.ch.