The KeepKey development team has updated the firmware for both the production client (v5.10.3) and the beta (rc) client (v6.0.1). In both updates, you will see bug fixes while the beta release will also include new applications and enhanced user experience.
Production Client Updates
The latest production client update will include the following fixes:
- Bitcoin Cash (BCH) address matching: Prior to this release, there was a reported problem with BCH address matching. It was found that the address on the device was not matching the address on the client. The development team discovered that the KeepKey device was displaying BCH’s new address format, CashAddr, while the client was still displaying the legacy address format. After this update, you will see CashAddr on both the client and the device. CashAddr’s begin with a q or p and protect users by clearly distinguishing BCH addresses from Bitcoin (BTC) addresses.
The KeepKey team wants to thank you and the other vigilant users who reported this problem. It is important for you to always verify the address on your device with the address on the client to protect against attacks such as Man in the Middle.
- 0xBTC transacting: If you attempted to send 0xBTC recently, you most likely were unsuccessful. This was due to a communication issue between the device and the client where the x in 0xBTC was capitalized. By capitalizing the x, the device could not recognize the name of the token and, therefore, did not know what token to send. By fixing this flaw, and properly communicating the x as lowercase, you are able to transact 0xBTC again.
Beta (rc) Client Updates
If you are a beta user, you will see the same fixes that were implemented in the production client, as well as a firmware update with the following fixes, updates, and enhancements:
- Microsoft compatibility: If you are one of our patient Windows 10 users, you should be able to access your accounts again. The KeepKey team has updated the device’s USB drivers and should relieve those Windows 10 users who were locked out of their device.
Note: If you are a Windows 10 user and still experiencing issues with your KeepKey after updating your firmware, please contact our crypto specialists.
- Ethereum (ETH) address matching: Similar to the BCH update, our vigilant users, like yourself, noticed small discrepancies in the capitalization of Ethereum addresses. Prior to this release, the KeepKey client was not following the latest Ethereum Improvement Proposal, EIP55. This standard implements a checksum function to detect small errors, specifically, the capitalization of letters in addresses. After this firmware update, Ethereum addresses will match perfectly on your device and client to ensure you are not sending your funds to a wrong address.
- Responsible disclosure: Thanks again to Christian Reitter, in coordination with Dr. Jochen Hoenicke, for responsibly disclosing the U2FHID_INIT_RESP information leak vulnerability in KeepKey’s initial implementation. After the security vulnerability was brought to the attention of the development team, U2F was fixed and re-added in this release.
- U2F and WebUSB implementation: After the development team fixed the original security vulnerability, they were able to implement Universal Second Factor (U2F) again along with WebUSB. U2F strengthens and simplifies two-factor authentication (2FA) by using specialized USBs or NFCs, such as a Yubikey. Similarly, WebUSB provides access to USB devices through web pages. In this case, you can access your KeepKey via another website login. Both implementations create a more secure and convenient login process for you, in anticipation for more exciting news in 2019.
Note: Linux users may need to update their UDEV rules to account for the new USB productId.
- Enhanced UX for passphrase protection: To continue to make the KeepKey user experience as easy as possible, the development team added a button for passphrase protection. You will find the button to add passphrase protection on the settings page of the client.
A passphrase is an optional security feature that is used to encrypt your private keys. This is an additional word that you can choose to create “hidden accounts” or “hidden wallets.” We recommend you use a passphrase only if you consider yourself an advanced user.
Passphrase warning: If you lose or forget your passphrase, you have lost access to your cryptocurrency. Your passphrase is not stored anywhere and no means of recovering it exists other than brute force (trying every possible passphrase). Additionally, the device can’t tell when you mistype your passphrase. If you send transactions to an account after a passphrase has been mistyped, it is likely that you will not be able to recover your crypto assets sent to addresses derived from the passphrase.
If using a passphrase is of interest to you, we suggest you reach out to our crypto specialists.
As always, if you have any questions regarding the latest update please reach out to our team. They are available seven-days-a-week and excited to help each user out!