On April 12, 2021, ShapeShift released v7.1.0 of the KeepKey firmware to resolve a critical security vulnerability (CVE-2021-31616) responsibly disclosed to us by security researcher Christian Reitter. Any user whose device is running firmware v7.0.3 should update as soon as possible.

While we have no evidence that this vulnerability has been exploited in the wild, it’s important that all KeepKey users—whether their device is registered with ShapeShift or not—apply the update at their earliest opportunity. Regular security patching and updates are a necessary and important part of security hygiene.

Action steps are simple:

  • Even if you already applied the update, we recommend you go ahead and make sure you're running the latest version—v7.1.2, at the time of this writing.
  • If you are unable to access your KeepKey right now, don’t worry—it is secure while disconnected. Just update as soon as you can, though we recommend updating the next time you connect.
  • When you are ready and able, use the KeepKey app to update.
  • As a security best practice, consider enabling PIN protection on your device.
  • Before making any updates to your device, always make sure you have your 12-word seed phrase safely stored offline.
  • If you have issues connecting your device following your update, please reach out to our support team.

Feel free to contact our Customer Support team with any questions.