Meshtastic & Privacy

Meshtastic

Lately we have bought some more Heltec Lorawan radios, and have been having fun playing with these little cheap radios.

Being a security focused Team, we have been looking into the usual attacks.

• Confidentiality
• Authenticity
• Integrity

Confidentiality

One of the main marketing points is that these radio communications are encrypted!

However, the main default key is well documented!

• 0xd4f1bb3a20290759f0bcffabcf4e6901

What normal people fail to realise is that, by default, this key is used to encrypted your digital packets of information. Therefore, anyone can decrypt and read your transmitted messages.

By default, all telemetry, position info and Direct Messages are sent out over the PRIMARY CHANNEL : 0

This factor is even worse, when you have enabled MQTT, with the default settings.

What do we mean:

• All telemetry is sent to an MQTT topic at mqtt.meshtastic.org
• All position data is sent to an MQTT topic at mqtt.meshtastic.org
• All Direct Messages are sent via MQTT to mqtt.meshtastic.org

So what happens when we roll our own MQTT server….

Mosquitto MQTT

We configured our own a mosquittto service on a Debian Linux instance inside a cloud provider. We gave ourselves credentials, configured TLS, and configured our devices to use this new service.

Thinking we were secure, we started sending test messages and Direct Messages to each other.

No surprise our MQTT logged everything, all messages, all telemetry, all nodeinfo, all neighbors and all DMs!

Surprisingly, one member of the Test Team put his device into Router mode, with rebroadcast settings of ALL!, and the MQTT Uplink Enabled.

We started to see DMs from other Meshtastic users in the local area. Their personal messages to each other were getting leaked onto our MQTT server. This is likely as they were still using the default LongFast configuration.

Improving your Confidentiality

Consider the following actions, on improving the confidentiality of the current Meshtastic implementation:

• Disable the primary channel, or
• Change the channel name and encryption key

With regards to MQTT settings

• Disable MQTT, or
• roll your own MQTT server

If you still want occasional access to LongFast

• Set up a secondary channel, LongFast with the default encryption key

Also consider using the device_role CLIENT_HIDDEN which should stop your device broadcasting unwanted position and telemetry data.

References

• Meshtastic
• Meshtastic Docs

---

Share on: