On October 1st, 2020, ShapeShift released version 6.5.1 of KeepKey’s firmware to resolve a few low-risk vulnerabilities. While each of these vulnerabilities require a fair amount of preconditions to exist in order to exploit them — and we’ve never seen evidence of these issues being exploited in the wild — we felt it was important to release this update to ensure KeepKey users’ funds are protected with the best possible security afforded by KeepKey.

ShapeShift is committed to providing the best user experience to users choosing to hold their own keys, with tools that keep their keys safe from online attackers.

Here is a summary of the four changes in KeepKey firmware 6.5.1:

  • The PIN unlock process now takes significantly less time to unlock KeepKey, making accessing your funds even easier.
  • KeepKey now takes 4 seconds to unlock, which is 84% faster than firmware 6.4.0.
  • An OLED side-channel attack that could allow an attacker to read information displayed on KeepKey has been mitigated by duplicating the PIN pad in alternating brightness (CVE-2019-14355).
  • This attack would only work if the attacker is able to detect the amount of power drawn by KeepKey during operation (such as by attaching an oscilloscope to the USB cable that connects KeepKey to your computer).
  • A BIP-39 passphrase-related ransom attack that could allow an attacker to alter the passphrase used to unlock KeepKey has been mitigated.
  • If a BIP-39 passphrase (also known as a “25th word”) is used to unlock KeepKey, that passphrase will now be shown on the display when KeepKey is unlocked.
  • This allows you to confirm that the passphrase you entered is the one used to unlock KeepKey, and all addresses are derived from the passphrase you know.
  • A SEGWIT vulnerability that could allow an attacker to trick you into signing two different transactions which move funds in a way you did not intend has been mitigated (CVE-2020-14199).
  • KeepKey will now warn you if the inputs of two similar transactions have changed, allowing you to cancel a suspicious transaction before signing it.

While this firmware update enhances the security of your KeepKey, it is not required to continue using ShapeShift. When visiting the ShapeShift.com platform, you will be notified if your KeepKey has an update available for installation via a banner at the top of the page.

Each of the vulnerabilities fixed in today’s firmware update were brought to our attention via ShapeShift’s Responsible Disclosure Program, and each of them are eligible for a bounty.

If you are a security researcher who has found a security issue in any of ShapeShift’s products or services, you may be eligible to receive a bounty for your work. We encourage you to follow the instructions detailed on our Responsible Disclosure Program page to work with us to make the Internet a little bit more secure.