Meshtastic Public Key Overwrite Vulnerability in NodeInfo Packets

A vulnerability in Meshtastic firmware versions prior to 2.6.3 allows an attacker to manipulate public key information in the Node database. By first sending a NodeInfo packet with an empty public key, the attacker can clear the existing key for a specific node. They can then send a new, malicious key, which is accepted and stored in the Node database. This exploitation takes advantage of the firmware's public key handling logic, bypassing safeguards intended to prevent overwriting existing keys.

Impact

Exploitation of this vulnerability allows for the unauthorized modification of public key data in the Node database, potentially leading to malicious key being used in cryptographic operations or identity impersonation within the mesh network.

Reproduction

To reproduce this vulnerability, send a NodeInfo packet with an empty public key to a target node. This will clear the existing public key for that node. Then, send another NodeInfo packet with a new public key. The firmware will accept this new key and store it in the Node database, overwriting any previous key.

Remediation

Users can upgrade to Meshtastic firmware version 2.6.3 or later to address this vulnerability.