Meshtastic Traceroute Response Flood Vulnerability Allowing Reflected Denial-of-Service

A vulnerability in Meshtastic versions prior to 2.5.1 allows for an unrate-limited flood of traceroute responses from remote nodes. This lack of rate limiting can be exploited to repeatedly and reliably elicit responses from a targeted station, potentially gathering around 100 samples in approximately two minutes. In addition to this positional confidentiality issue, the vulnerability enables a 2:1 reflected denial-of-service against the network, although other denial-of-service methods exist.

Impact

The vulnerability significantly compromises the confidentiality of node positioning by allowing the reliable interrogation of a node's location, even if location sharing is disabled. Additionally, it introduces a low-impact denial-of-service risk by reflecting an attack against another node and its responses, although there are other available denial-of-service routes on Meshtastic networks.

Reproduction

To reproduce this vulnerability, send repeated traceroute requests to a target node using the Meshtastic app or automate the process with a bash script that interacts with the Python API. Ensure that the same AES key, spread factor, code rate, frequency, and bandwidth as the target node are used, as these parameters must match for the attack to be effective.

Remediation

Users can update to Meshtastic version 2.5.1 or later to address this vulnerability.