Writing my first meshcore PR 馃馃徔
It's still a work-in progress, but having a lot of fun learning this code base!
https://github.com/ripplebiz/MeshCore/pull/96
#lora #meshcore #meshtastic #privacy #networking #esp32 #offgrid
Discussion
Writing my first meshcore PR 馃馃徔
It's still a work-in progress, but having a lot of fun learning this code base!
https://github.com/ripplebiz/MeshCore/pull/96
#lora #meshcore #meshtastic #privacy #networking #esp32 #offgrid
I wish I had less complaints for meshtastic, comments reminded me of others.
0. Has routing table, doesn't use it
1. Static MAC is used and expected over lora
2. The static MAC is the same or similar to the device ble/wifi mac
3. Location data leaks in unexpected ways
4. MQTT arch is messy af
5. Their simulator is buggy & bad. But is how they make technical decisions
6. Security is an after thought (and finally ok-ish)
7. History of non-sane defaults + many users are slow or never upgrade = bad
And if you've seen my defcon talk.... you probably can figure out what I can do with #1, #2 #11 and #12 馃
#13 No conversation privacy in default scalable configuration. Anyone can see your to/from fields and bc #1 it's great metadata.
Need to verify how bad #13 is, I think you can mitigate but most people use a public channel. The header I think its technically encrypted BUT with a known public key so everyone can see whose talking to whom. I think you can get encrypted headers on the public channel but docs aren't clear and probably limits your hops.
Finally I suspect that IF meshtastic ever does fix their routing algo they will suffer from MITM exploits due to issues around #1, #6, #8, and #9.
Bc when you have MAC as the root of trust I can respond to your MAC and poison the routing table.
There might even by a solid security downgrade attack here too bc they have backwards compatibility for insecure DMs. So once I clone your MAC I can also downgrade security and ppl are trained to accept downgrades.
MeshCore has released their code today.
I've read most of the code and this is fairly early, limited docs, no mobile app and limited hardware testing.
That being said the over the air protocol+routing looks excellent. The code is well designed and fairly slim. The security posture is good and designed in from the start.
They get so much right in so little code. I even think I could make this messtastic compatible faster than they can improve.
A space for Bonfire maintainers and contributors to communicate