Version 3.0.6 Released (Security Update)
Security Fix (Multisig Users)
This release fixes a multisig PSBT-tampering issue, that could allow a MitM to steal funds. Please upgrade ASAP.
This issue can only affect multisig wallet users, and we strongly recommend immediate upgrade. There is no evidence any malicious actor ever exploited this bug, but to give users a head start, we plan to talk about this in more detail in 90 days.
Download the latest firmware here
New Features
This is primarily a maintance release, but we could not resist adding some new features too:
-
You can now select a one-line text file from the MicroSD card to be signed by your private key. This can be useful to prove identity, or control over a key. More details are available in the updated online docs for the MicroSD submenu.
-
The Coldcard can now accept PSBT files encoded in Base64 or hex, which can be helpful to programers and other system integrators. In the past, all PSBT files had to raw binary which is more difficult to work with. The ouput PSBT (signed version) will be written in the same encoding as the input PSBT file. This does not affect the USB interface, which still requires binary values.
-
All change outputs are now shown during the approval process (on screen). We’re not sure if it’s worthwhile to verify all the change outputs, since the Coldcard has already worked hard to check they come back to your wallet. But they are part of the transaction being approved, so it makes sense to show them, so they can be inspected if desired.
This release also has a number of bug fixes.
Change List
- Enhancement: Sign a text file from MicroSD. Input file must have extension .TXT and contain a single line of text. Signing key subpath can also provided on the second line.
- Enhancement: Now shows the change outputs of the transaction during signing process. This additional data can be ignored, but it is useful for those who wish to verify all parts of the new transaction.
- Enhancement: PSBT files on MicroSD can now be provided in base64 or hex encodings. Resulting signed PSBT will be written in same encoding as the input PSBT.
- Bugfix: crashed on entry into the Address Explorer (some users, sometimes).
- Bugfix: add blank line between addresses shown if sending to multiple destinations.
- Bugfix: multisig outputs were not checked to see if they are change (would have been shown as regular outputs), if the PSBT did not have XPUB data in globals section.
Updated: March 2020
Now that the disclosure period has elapsed, we can discuss the security issue this release fixed in December. The problem was reported by Dmitry Petukhov @dmpsim who discovered the issue when integrating the Coldcard into his work.
The vulnerability allows a Man-in-the-Middle (of your PSBT files) to steal your change outputs when using multisig. The old version of Coldcard (before the fix) was not parsing multisig scripts tightly enough, and could be fooled into thinking the change address was correct and coming back to you, when in fact, it was going to the attacker.
An example (from Dmitry’s original report), is a redeem script like:
1 <pubA> <pubB> 2 CHECKMULTISIG DROP 1 <pubM0> <pubM1> 2 CHECKMULTISIG
(where pubA and pubB are pubkeys that match the expected xpubs on the Coldcard, while pubM0 and pubM1 are pubkeys of the keys belonging to malicious actor that wants to steal all the change of the transaction)
That redeem script, in the output of the transaction, would be
considered as ‘change back’ because the pubkeys returned from
disassemble_multisig()
would match xpubs stored on the device.
The attacker’s additions not be noticed.
The parsing bug was easily fixed just by simplifying the code involved. As an additional layer of defense, we added showing the change addresses to the on-screen confirmation. We like to think that will shutdown any as yet to be discovered PSBT-man-in-the-middle attack, however, we are also working with the Bitcoin community with some new ideas on how to better lock down PSBT files in transit, using message signatures and such.
This particular MiTM attack does not require knowledge of the full XPUB of the keys involved in signing, but regardless we repeat our guidance that it is not best practice to be transmitting those values in your PSBT files unless they are required.