Meshtastic Node Spoofing Vulnerability in HAM Mode Allowing Unauthorized Node Information Forging

A vulnerability exists in Meshtastic, an open-source mesh networking solution, where nodes are identified by their NodeID derived from the MAC address instead of their public key. This flaw weakens security by exploiting the HAM mode, which lacks encryption. An attacker can forge NodeInfo for a victim node, falsely claiming that HAM mode is active. This deception enables the attacker to manipulate the victim's NodeDB, allowing direct messages to be sent using the shared channel key instead of the public key cryptography (PKC) key. Furthermore, the attacker could alter the victim node's details, such as the full name or short code. To maintain this attack, the forged NodeInfo must be regularly resent, particularly after the victim node transmits its own.

Impact

Exploitation of this vulnerability allows for unauthorized modification of NodeDB entries, interception of messages intended for the victim node via the shared channel key, and alteration of the victim node's displayed information.

Reproduction

The vulnerability can be reproduced by using two devices, both in PKC mode. Once the devices are paired, one device can be switched to HAM mode and send a forged NodeInfo. The other device will then recognize the node as being in HAM mode, despite it being a spoofed representation. This process can be automated by resending the forged information after the victim node updates its status.

Remediation

Users are advised to utilize the NodeDB feature as an append-only file to prevent overwriting existing node information. Additionally, when a device switches to HAM mode, it should generate a new NodeID based on a different MAC address to avoid conflicts with the PKC mode identification.