Hardware Wallet Review: Digital Bitbox
What is a Digital Bitbox ?
Like the title says, it's a hardware wallet. In contrast to your normal garden variety desktop- or mobile wallet, this little thing is completely offline, meaning the risk of your wallet being compromised is A LOT smaller. In a way, it's almost the same as a Yubikey, in case you are familiar with those.
Watch the official introductory video to get a better idea of how it is supposed to work (don't expect anything flashy though):
At least in theory, this thing seems pretty secure. Because you have to physically press a button on the device every time a payment needs to be authorized, the chance that malware is able to steal your funds is minimal.
The device is shipped in a sturdy box which is enclosed in an anti-static bag, which gives a solid impression from the start. I am hoping though that the bag is only intended to keep moisture out, since the Bitbox will be dangling on my keychain in the future.
The contents of the package are as advertised: The Bitbox itself and a 4 GB SD-card. Also, they include two nice stickers.
Following the official quick start guide, I first download the desktop app, in my case the 64bit version for Windows. Software version at the time of writing: v2.2.1. I also have a look at the code on Git-Hub, but apart from telling you that it looks tidy and well structured, it is beyond my experience to judge whether the code has any flaws (or maybe I'm just too lazy ;)
After checking the hash of the download, I want to install the application, and there's my fist surprise: No installation required. Nice! So I insert the SD-card into the Bitbox, start the application and plug the device into my computer.
Side note: I always find it a little bit icky if the hash of a file is just next to the download-link on a website, especially if the executable I'm downloading is supposed to be really safe because it handles sensitive information. It's so easy to fake one if you manage to manipulate the other. Would it really hurt to do it like the devs of PuTTY? They have a public GPG key which they use to sign the downloads.
So far, so good, the device is recognized and the app is asking me to enter a wallet name and password. I'm not completely sure why I need to give it a name, but that's just me...
Since the device will be offline most of the time, I am going to chose a password that's not super strong, but rather easy to enter on any type of keyboard-layout. (Nope, it's not 12345 ;)
Creating the wallet takes a second, I assume that's the internal random generator of the Bitbox taking its time to create a private key. After this is done, the application screen changes again and displays the contents of my wallet. Sadly I encounter the first error right here: The app tells me that it cannot connect to the internet, even though everything else works just fine. Ok. Unplugging and reinserting the device fixes this issue quickly though, and the app seems to be working.
Let's see what happens if I upgrade the firmware. Under the tab 'Options', there's a button 'Upgrade Firmware...'. Alright.
Hm. All that happens is a file explorer window opening. I guess firmware-updates must be downloaded manually. I'm a bit disappointed; it would have been a nice touch if the app did this automatically. The 'Blink LED' button is fun though^^
Pairing mobile app
Overall security can be increased even further by using the mobile app. This then allows you to set up 2FA where you need to authorize payments in the mobile app as well. Also, you can verify if the payment-address the desktop app shows you is really your address.
The pairing process is interesting. The LED on the Bitbox will blink a number of times, and you have to select how often it blinked in the app. After doing this a couple of times you can touch the Bitbox's touch-button to finish the process. Works like a charm.
Now that all is set up, it is time to send some BTC to my new wallet and see if it arrives.
Yes, it worked! I always get an adrenaline rush from sending BTC to a new address.
The last thing to be tested. I will do a transaction w/o 2FA enabled, and another one with it enabled.
Entering destination address, amount and fee
Program is waiting for me to physically touch the Bitbox
It works! Yes I know I don't show it. You will have to take my word for it.
Enabling 2FA is a one way street. Once the Bitbox is locked with 2FA, the wallet can only be changed via a complete device reset.
Program warning me
The payment process is the same as above, but with an additional step on the mobile app:
Confirmation screen on my smartphone (transaction details covered)
This works as well.
More on security
In case you are interested in this device, I suggest you check out the security FAQ to learn more about the different ways someone could steal your money and how the Digital Bitbox prevents that.
The Digital Bitbox seems to me like one of the most promising hardware wallets so far. It is small and very secure. At the moment it supports BTC, ETH, ETC and ERC20 tokens, but the developers are planning to add more coins in the future. Because it is a FIDO U2F authentication token as well, it really makes a good addition to your set of tools to be safe and secure in the digital world.