Meshtastic

1474 readers

16 users here now

A community to discuss Meshtastic (https://meshtastic.org/docs/introduction)

founded 2 years ago

MODERATORS

Sal@mander.xyz

A whole lot of vulnerabilities apparently exist in Meshtastic encryption? (partyon.xyz)

submitted 2 months ago by black_flag@lemmy.dbzer0.com to c/meshtastic@mander.xyz

11 comments fedilink hide all child comments

Thoughts on this?

you are viewing a single comment's thread
view the rest of the comments

[–] rescla@feddit.nl 3 points 2 months ago (1 children)

It is mitigated in 2.6.11 https://github.com/meshtastic/firmware/releases/tag/v2.6.11.60ec05e. When I re-generate keys on a node I get warnings that the public key of that node is changed, and I need to delete the node and wait for the next advertisement to update it. I haven't tried running meshmarauder myself to see if the user profile tampering still works, if they sign and check the updates correctly I don't see why that would still be broken. The other impersonation stuff does not seem to be released yet.

That said, I think Mestastic works as a kind of hobby, out of band public communication network first and foremost. Even in that kind of setting, knowing who sent which message is valuable, but not a deal breaker in my opinion. Not sure I'd trust it as a network for encrypted person to person messaging. And to be fair, compared to "normal" HAM, any kind of attestation is a bonus. And it's license free and relatively cheap to get into.

[–] cypherpunks@lemmy.ml 2 points 2 months ago

It is mitigated in 2.6.11

That release mitigates a previous issue, where different devices would sometimes generate identical secret keys due to lack of entropy in their random number generation.

This is their response to the issues which this post is about.