Which brings me to part two, MeshMarauder.
An open source tool demonstrating proof-of-concept exploits against the DEFCON 33 Meshtastic firmware.
MeshMarauder will demostrate:
- Tracking user activity on any mesh regardless of encryption usage
- Hijack all meshtastic user profile metadata
- Change any users public key
- Send messages as any user in channel chats that appear authentic
- MITM direct messages
https://meshmarauder.net
#defcon #meshtastic #meshmarauder #cybersecurity
should the devs even bother encrypting at all given that it’s not a primary focus for them?
Yes, imo, even doing what they’re doing now (without TOFU, trivially vulnerable to active attacks) is better than not encrypting at all - they should just have been forthright with users about it having been designed to only provide confidentiality from passive adversaries.
But also, they should actually mitigate active adversaries by implementing TOFU. And then still, they should be more forthright about Meshtastic not being designed for privacy (re: enabling location tracking, etc, even absent GPS).
Yes, imo, even doing what they’re doing now (without TOFU, trivially vulnerable to active attacks) is better than not encrypting at all - they should just have been forthright with users about it having been designed to only provide confidentiality from passive adversaries.
But also, they should actually mitigate active adversaries by implementing TOFU. And then still, they should be more forthright about Meshtastic not being designed for privacy (re: enabling location tracking, etc, even absent GPS).