BitBox02 Nova is available for pre-order now.
The new BitBox02 Nova uses Bluetooth® Low Energy (BLE) to enable communication with the BitBoxApp on iPhone and iPad, as USB communication is very restricted on these two devices. At the core of our security philosophy is the refusal to blindly trust opaque systems. This is why we designed the Bluetooth implementation to minimize attack surfaces, eliminate unnecessary trust, and prioritize user sovereignty. We call this custom integration Whisper.
The primary goal of Whisper is to preserve user privacy, without compromising security. This is achieved by not trusting the Bluetooth stack, end-to-end encrypting all transmitted data and limiting the operating range. We already shared some high-level aspects about Whisper in the introduction of the BitBox02 Nova, but in this article, we want to take a closer look at all the technical details!
Hardware isolation
New hardware was required to enable the use of Bluetooth, as the original BitBox02 does not have the required components on-board to do so. The BitBox02 Nova now has a dedicated Bluetooth chip, the DA14531 MCU, which runs its own custom Bluetooth firmware – completely isolated from the main MCU running the BitBox02 firmware. The Bluetooth chip does not have access to the flash storage of the main MCU and does not learn any wallet secrets. Similar to our dual-chip architecture, which uses a dedicated Secure Chip, this allows the main firmware to stay independent of the Bluetooth firmware, without having to trust it.
Open source everything
As you would expect, our custom Bluetooth firmware is open-source and can even be fully reproduced upon acquiring an SDK file from the manufacturer. Even though the Bluetooth chip is not trusted anyway, this further improves transparency and auditability. We welcome community assertions on our GitHub repository from users who successfully reproduced the Bluetooth firmware.
Controlled environment
Since the Bluetooth chip does not have access to flash memory, it cannot access data stored by the main MCU. The firmware is loaded directly into working memory (RAM) on each boot and is cryptographically verified by the main MCU. This guarantees a consistent, verifiable runtime environment with no mutable state.
Authenticated and encrypted
By default, all Bluetooth connections are encrypted – even the Bitcoin podcast playing on your Bluetooth headphones! The BitBox02 Nova enforces the highest settings available in the Bluetooth® standard: LE Secure Connections with authenticated pairing. No plaintext or unauthenticated data can be sent or received, ensuring that all data transmitted “over the air” cannot be read by eavesdroppers. Note that this is primarily a privacy feature, as no security-critical data such as private keys are transmitted from and to the device in any case.
The pairing process will feel familiar if you ever paired your phone with your car over Bluetooth. A pairing code is shown in a system dialogue on iPhone or iPad and on the BitBox02 Nova, prompting the user to confirm if they match.
Two encryption layers
On top of the native Bluetooth encryption, the BitBoxApp and BitBox02 Nova still use the same end-to-end encryption protocol, which users of the BitBox02 are already familiar with. This means that all data is already encrypted by the BitBox firmware before being passed on to the Bluetooth chip. Only the BitBoxApp is able to decrypt this data, as the Bluetooth firmware does not know the decryption key. In the event the Bluetooth connection is somehow compromised, your transaction data would still remain private thanks to this additional layer of encryption.
Reduced signal strength
Usually, Bluetooth devices are supposed to have a very long range. Users of Bluetooth headphones still want to listen to their favorite song or Bitcoin podcast, even when they head to the bathroom or to the basement. For a hardware wallet, the opposite is true. We already consider the simple fact that a hardware wallet is being used as information worth protecting.
This is why we deliberately limit the Bluetooth range. When the BitBox02 Nova is plugged into an iPhone or iPad, it will start to advertise itself to allow other devices to discover and connect to it. During this initial phase, the signal strength of the Bluetooth antenna is reduced to the bare minimum, aiming for a very limited range. Connecting and pairing is therefore only possible in close vicinity of the device.
Once the connection is established, all communication is end-to-end encrypted and the nature of the connection is hidden, preventing others from discovering that a BitBox device – or any Bluetooth device for that matter – is in use. Only then, the signal strength and range is slightly extended to improve reliability.
Device names
For devices that are not set up yet, the advertised Bluetooth name will be chosen randomly each time the device is powered on, for example, it may be called “BitBox A1D6”, “BitBox C2A4”, and so forth. This ensures that you connect to the correct device during setup, as the device name is shown both in the BitBoxApp and on-device.
After initial setup, the device name set by the user will be used for Bluetooth advertising. This also gives the user the option to decide for themselves whether to simply call it “Satoshi’s BitBox” or something arbitrary like “Alice’s AirPods Pro” – with the latter providing even more obfuscation from surrounding devices.
Random private addresses
We use random private addresses (RPA) built into the Bluetooth standard to further obfuscate device metadata such as MAC addresses. This makes passive tracking over longer periods of time even more difficult. Only devices that are paired with the BitBox can reveal its identity. Other devices simply see random addresses and encrypted data blobs, without being able to identify unique addresses and track them.
USB first
While Bluetooth Low Energy is a great choice to circumvent USB restrictions on iPhone and iPad, it is unnecessary to enforce it on other platforms as well, i.e. on Windows, Mac, Linux and Android. This is why the BitBox02 Nova prioritizes USB communication, once it becomes available.
As soon as the device receives data from the BitBoxApp via USB, it will turn off Bluetooth. If the BitBox02 Nova is connected via USB while the BitBoxApp is running, the bluetooth firmware will never even be started.
And of course, users who do not own an iPhone or iPad and thus will not use Bluetooth altogether can deactivate it with a persistent firmware setting. Note that this should only be done if you have a USB-enabled host device at hand, as you cannot re-activate Bluetooth with an iPhone or iPad – for obvious reasons.
Conclusion
Whisper is not just a nice-sounding marketing name, it’s a commitment to uncompromising privacy and security over Bluetooth. We wanted to take the extra steps necessary to ensure that using the BitBox02 Nova with iPhone or iPad does not come with unwanted trade-offs.
Most consumer devices treat Bluetooth as a black box – embedding closed-source code in the main firmware. Whisper takes the opposite stance. We isolate, restrict, encrypt, and de-authorize until Bluetooth becomes what it should be: a user-controlled, convenience-only interface that cannot compromise critical systems. And of course, it not only has strong privacy and security, but also offers the same, simple user experience, which our users expect from their BitBox.
Don’t own a BitBox yet?
Keeping your crypto secure doesn't have to be hard. The BitBox hardware wallets store the private keys for your cryptocurrencies offline. So you can manage your coins safely.
Both the BitBox02 Nova and the BitBox02 also come in a Bitcoin-only edition, featuring a radically focused firmware: less code means less attack surface, which further improves your security when only storing bitcoin.
Pre-order BitBox02 Nova or grab a BitBox02 in our shop!
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease — along with its software companion, the BitBoxApp.
iPhone, iPad, iOS, macOS, iPadOS and AirPods are trademarks of Apple Inc., registered in the U.S. and other countries.
Bluetooth® is a registered trademark of Bluetooth SIG, Inc. and is used under license.