Meshtastic-Android Unencrypted Message Impersonation Vulnerability

A vulnerability in the Meshtastic-Android application, prior to version 2.5.21, allows an attacker to send an unencrypted direct message to a victim while impersonating any node in the mesh network. The message appears in the same chat as other communications with that node and is falsely indicated as being protected by Public Key Cryptography (PKC). This misrepresentation creates a false sense of security for the victim, who believes the communication is encrypted and legitimate. The issue has been patched in version 2.5.21.

Impact

Exploitation of this vulnerability leads to unencrypted messages being received by the victim, creating a false sense of security regarding the confidentiality of the communication. The victim may inadvertently trust and respond to messages that are actually from an attacker.

Reproduction

To reproduce this vulnerability, use Meshtastic-Android version 2.5.19 with a device running the Meshtastic firmware version 2.6.2. First, ensure that both the sending and receiving devices are in PKC mode. Then, switch one device to HAM mode and send a direct message from the second device. The message will be delivered without PKC encryption, even though it appears to be encrypted, allowing for unauthorized interception of the communication.

Remediation

Users are advised to update to Meshtastic-Android version 2.5.21 or later, which includes a patch for this vulnerability. After updating, the application will correctly handle public key mismatches and provide appropriate warnings when messages are not encrypted with PKC.