Meshtastic Firmware Downgrade Vulnerability in PKI Encryption for Direct Messages

A vulnerability in Meshtastic firmware versions prior to 2.7.15 allows for a downgrade attack on the newly introduced asymmetric encryption for direct messages. When the 'pki_encrypted' flag is absent, the firmware reverts to the older AES-256-CTR channel encryption, a decision made for backward compatibility. However, this fallback creates a security issue, as end-user applications cannot distinguish between messages encrypted with the new PKI method and those using the legacy encryption. Adversaries aware of a shared channel key can craft and send spoofed direct messages that appear to be PKI encrypted, undermining the security intended by the encryption update. This vulnerability affects all Meshtastic firmware users between versions 2.5 and 2.7.15 who rely on PKI for direct message security.

Impact

Exploitation of this vulnerability allows for the spoofing of direct messages, breaking the security guarantees of the PKI implementation and enabling impersonation of any node on the network.

Reproduction

To reproduce this vulnerability, create a channel that includes the target node. Then, craft a MeshPacket addressed to that node without the 'pki_encrypted' flag. Encrypt a TEXT_MESSAGE_APP payload using the known AES-256-CTR channel key and inject the packet over LoRa or MQTT. The recipient node will accept and display the message as a direct communication, without any indication that it was decrypted using the legacy encryption method.

Remediation

Users can update to Meshtastic firmware version 2.7.15 or later, where this vulnerability has been fixed.