1mo ago

Critical Meshtastic Flaw Allows Attackers to Decrypt Private Messages

Meshtastic developers released firmware version 2.6.11 with critical fixes:

Key generation delay: Keys are now generated when users first set their LoRa region, preventing vendor-side duplication. Entropy improvements: Added multiple randomness sources to strengthen cryptographic initialization. Compromised key detection: Devices now warn users if known vulnerable keys are detected. An upcoming version (2.6.12) will automatically wipe compromised keys. For immediate protection, users should:

Update devices to firmware 2.6.11 or later. Perform a factory reset using Meshtastic’s CLI: meshtastic –factory-reset-device. Manually generate high-entropy keys via OpenSSL for critical deployments.