Blockstream Jade's latest update enables anti-rollback, a protective measure which prevents Jade devices from being downgraded to certain older firmware versions. This extra protection means that attackers looking to exploit outdated firmware can not trick users into downgrading their device.
Think of it like an added layer of protection from phishing emails, fake websites impersonating Blockstream, and other social-layer attacks.
Why Anti-Rollback Now?
We are enabling this feature in light of a potential vulnerability on select old Jade firmware versions if paired to malicious third-party apps/platforms. This issue has been fully resolved and we want to thank the security research group DarkNavy for finding and responsibly disclosing this vulnerability to us.
We recommend keeping your firmware upgraded to the latest version.
Am I at Risk?
We have no reports of users being affected by this potential vulnerability.
All users who only pair their Jade with the Blockstream app, a Blockstream service, or a trusted third-party platform are safe.
Our analysis shows that users on firmware 1.0.36 are not vulnerable, however all users should update to 1.0.38 to eliminate the possibility of being affected through phishing emails or fake websites tricking users into downgrading.
How to Stay Safe
Update your Jade to the latest 1.0.38 version firmware.
Only upgrade from official Blockstream sources. Refer to our troubleshooting guide if you are having problems upgrading.
As always, only pair Jade with the Blockstream app or trusted third-party platforms using their official links. You should only download the Blockstream app from our official website.
We have updated the Blockstream app to require the 1.0.38 Jade firmware and address issues raised by DarkNavy and our own internal security auditing. Thanks again to DarkNavy for their hard work and dedication.
We will continue to work with the open-source community to further strengthen the Bitcoin ecosystem.
To report security issues, please contact security@blockstream.com.
Blockstream will never email you a link to upgrade your Jade or ask for your recovery phrase. Never click on suspicious links or communicate with anyone outside of our official support channels. To avoid impersonators and scammers, use our Help Center for product support.