Meshtastic

1251 readers

1 users here now

A community to discuss Meshtastic (https://meshtastic.org/docs/introduction)

founded 2 years ago

MODERATORS

Sal@mander.xyz

A whole lot of vulnerabilities apparently exist in Meshtastic encryption? (partyon.xyz)

submitted 5 days ago by black_flag@lemmy.dbzer0.com to c/meshtastic@mander.xyz

9 comments fedilink hide all child comments

Thoughts on this?

you are viewing a single comment's thread
view the rest of the comments

[–] rescla@feddit.nl 3 points 4 days ago

It is mitigated in 2.6.11 https://github.com/meshtastic/firmware/releases/tag/v2.6.11.60ec05e. When I re-generate keys on a node I get warnings that the public key of that node is changed, and I need to delete the node and wait for the next advertisement to update it. I haven't tried running meshmarauder myself to see if the user profile tampering still works, if they sign and check the updates correctly I don't see why that would still be broken. The other impersonation stuff does not seem to be released yet.

That said, I think Mestastic works as a kind of hobby, out of band public communication network first and foremost. Even in that kind of setting, knowing who sent which message is valuable, but not a deal breaker in my opinion. Not sure I'd trust it as a network for encrypted person to person messaging. And to be fair, compared to "normal" HAM, any kind of attestation is a bonus. And it's license free and relatively cheap to get into.