Table of Contents

Packaging: what to look for Reference images Important note: Packaging helps, but it is not a security guarantee The ultimate authenticity verification: the attestation check How the attestation check works Additional context: preventing supply-chain attacks FAQ (Free Questions & Answers) How can I verify that my BitBox02 packaging is genuine? Does perfect packaging guarantee that my BitBox02 is authentic? What is the attestation check? When does the attestation check happen? What should I do if the packaging looks damaged or unusual? Where can I learn more about BitBox02 supply-chain security?

When you receive your BitBox02, a quick inspection of the packaging can help identify obvious signs of tampering. This article shows what to look for in the vacuum-sealed bag, explains its limitations, and highlights the attestation check—the ultimate authenticity test performed automatically by the BitBoxApp.

Packaging: what to look for

Upon receiving your device, take a moment to verify the packaging—especially the vacuum-sealed plastic bag:

  • Sealed condition
    The BitBox02 always ships in a clear, vacuum-sealed plastic bag. It should appear tightly sealed without air pockets.
  • Gray pattern
    A distinctive gray pattern surrounds all four edges of the bag. The pattern should be continuous and unbroken.
  • Bag integrity
    Ensure there are no cuts, punctures, tears, or resealing marks on the plastic.
  • If you notice anything unusual
    If the bag looks opened, irregular, or the pattern is missing, avoid using the device and contact the BitBox support team for guidance.

Reference images

Below are example images showing the vacuum packaging and the characteristic gray-pattern seal.

 

BitBox02 Multi edition

BitBox02 Nova Bitcoin-only edition

BitBox02 Bitcoin-only edition

Please note that the seal markings may appear in slightly different positions on the bag. This is normal and not a cause for concern.

 

Important note: Packaging helps, but it is not a security guarantee

  • The vacuum bag is designed to help users detect obvious packaging interference.
  • However, it is not a tamper-proof seal. A sophisticated attacker could reproduce the bag or mimic packaging characteristics.
  • Because of this, you should never rely solely on packaging appearance to determine authenticity.
  • Your BitBox02’s real protection comes from a system that cannot be faked: the attestation check.
 

The ultimate authenticity verification: the attestation check

Each BitBox02 contains a secure chip with a unique device attestation key. During manufacturing, Shift Crypto signs a certificate for that key using our root attestation key. This creates a cryptographic link between your specific device and our trusted manufacturing process.

How the attestation check works

  1. When you connect your BitBox02, the BitBoxApp sends a random challenge to the device.
  2. Your device must sign this challenge with its attestation key.
  3. The BitBoxApp verifies the signature using the Shift-Crypto-signed certificate.
  4. If the signature or certificate is invalid, the BitBoxApp clearly warns you that the device is not authentic.

Because attackers cannot access our root keys and cannot extract keys from the secure chip, a forged or manipulated device cannot pass this check.

This attestation mechanism—not the packaging—is the only reliable way to confirm a BitBox02 is genuine.

 

Additional context: preventing supply-chain attacks

For a deeper explanation of how we protect devices throughout manufacturing and shipping, see our official blog post:
Understanding supply chain attacks — and how we prevent them

Key concepts from the article:

  • Hardware wallets can theoretically be interfered with while being shipped.
  • Packaging checks provide some reassurance, but they cannot prevent sophisticated attacks.
  • The BitBox02 is engineered so that authenticity verification happens inside the secure chip, not through external packaging.
  • The attestation check eliminates the possibility of attackers creating valid-looking but fake devices.
  • Even if someone accesses a device physically, without the attestation keys they cannot pass the authenticity check.

FAQ (Free Questions & Answers)

How can I verify that my BitBox02 packaging is genuine?

Inspect the vacuum-sealed bag for a tight seal, a continuous gray pattern, and the absence of cuts or resealing marks. If something looks off, contact BitBox Support.

Does perfect packaging guarantee that my BitBox02 is authentic?

No. Packaging can provide reassurance, but it can also be replicated. The only definitive authenticity check is the attestation check performed by the BitBoxApp.

What is the attestation check?

The attestation check is a cryptographic verification that links your device to Shift Crypto’s secure manufacturing process. Fake or manipulated devices cannot pass it.

When does the attestation check happen?

Automatically when you plug in your BitBox02 and connect it to the BitBoxApp. The app challenges the device, verifies its signed response, and warns you if something is wrong.

What should I do if the packaging looks damaged or unusual?

Do not use the device. Reach out to the BitBox support team for guidance before connecting the BitBox02 to your computer.

Where can I learn more about BitBox02 supply-chain security?

You can read our official article Understanding supply chain attacks — and how we prevent them, which explains how we secure devices from manufacturing to delivery.

Related Articles

Was this article helpful?

Give feedback about this article