Critical Meshtastic Flaw Allows Attackers to Decrypt Private Messages (gbhackers.com)
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 25 Jun 11:49
https://sh.itjust.works/post/40932646

#cybersecurity

threaded - newest

einfach_orangensaft@sh.itjust.works on 25 Jun 12:27 next collapse

“Flaw” yeah sure no “Tailored access road” there… I kinda always assumed there is something fishy about Meshtastic…

If you depend on a “off grid” communication device…choose a analog radio that has to dumb of hardware to run a exploit (or broadcast your GPS location lmao).

user224@lemmy.sdf.org on 25 Jun 13:03 collapse

So just no security instead?

einfach_orangensaft@sh.itjust.works on 25 Jun 13:42 collapse

??? U can run encryption over Analog links, i dont quite understand your question.

cyberic@discuss.tchncs.de on 25 Jun 14:02 collapse

So that’s illegal…

einfach_orangensaft@sh.itjust.works on 25 Jun 15:38 collapse

Depends on the frequency band and nation u are in. In the usa on ham radio? yeah not legal. Elsewhere on 11m its the wild west.

CancerMancer@sh.itjust.works on 26 Jun 16:07 collapse

I’m pretty sure it’s illegal to encrypt on amateur bands in the USA. I know with certainty it’s illegal in Canada

einfach_orangensaft@sh.itjust.works on 26 Jun 16:11 collapse

Good thing that the world isnt just north america.

CancerMancer@sh.itjust.works on 26 Jun 19:29 collapse

k

redsand@lemmy.dbzer0.com on 25 Jun 15:56 collapse

They still need help upgrading the key exchange to be quantum resistant if anyone needs a summer project.

LodeMike@lemmy.today on 25 Jun 23:19 collapse

No they don’t “need” help doing that. Quantum resistance is kind of a waste of time considering the largest number factored by these things is 21.

And the known algorithm we halve just square roots the search space on average. So a 256 bit key is still secure. Quantum resistance just seems like another industry scam to try and take us away from well supported open-source stuff.

redsand@lemmy.dbzer0.com on 25 Jun 23:40 next collapse

It’s just math and the relentless march of technology. Fear not, we have lots of open source post quantum cryptography libraries.

LodeMike@lemmy.today on 26 Jun 00:02 collapse

Define “post quantum”

InnerScientist@lemmy.world on 26 Jun 00:32 next collapse

From Wikipedia:

Post-quantum cryptography, sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer.

LodeMike@lemmy.today on 26 Jun 00:59 collapse

RSA 4096 is post quantum under this definition.

InnerScientist@lemmy.world on 26 Jun 10:51 collapse

RSA 1024 is post quantum if you want to ignore progress in cryptography and use current algorithms. (We have no quantum computers that can crack it right now)

It’s about preparing for quantum computers by using algorithms that are secure against conventional and future quantum computers. If you assume that a quantum computer will exist that can crack RSA 2048/4096, then all data that gets send right now can be decrypted at that time. If we get working quantum computers in 20 years then in 20 years all banking data, chat messages, emails,… send with RSA today can be compromised.
If we switch to algorithms that don’t get easier to crack with quantum computers then even when they get strong enough nothing will change and only data send with older algorithms can be decrypted.

See also the rest of the Wikipedia article, here a continuation of my previous snippet:

Most widely used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor’s algorithm or possibly alternatives.

As of 2024, quantum computers lack the processing power to break widely used cryptographic algorithms; however, because of the length of time required for migration to quantum-safe cryptography, cryptographers are already designing new algorithms to prepare for Y2Q or Q-Day, the day when current algorithms will be vulnerable to quantum computing attacks.

Smokeydope@lemmy.world on 26 Jun 00:36 next collapse

The point in time after the first qbit based supercomputers transitioned from theoretical abstraction to physical proven reality. Thus opening up the can-of-worms of feasabily cracking classical cryptographic encryptions like an egg within human acceptable time frames instead of longer-than-the-universes-lifespan timeframes… Thanks, superposition probability based parallel computations.

redsand@lemmy.dbzer0.com on 26 Jun 01:28 collapse

After quantum. Algorithms for after a quantum computer can crack what’s current.

LodeMike@lemmy.today on 26 Jun 01:30 collapse

Can they? Can they really break RSA 4096? Because the algorithm we have to do that just turns it from 256 bits of entropy to 128, which is still not breakable.

redsand@lemmy.dbzer0.com on 26 Jun 02:32 collapse

Algorithms. Plural. Shor’s and Grover’s. Nothing public that can break anything in use but progress marches on and governments are always expected to be 5-10 years ahead

LodeMike@lemmy.today on 26 Jun 06:40 collapse

Hm. It appears I did not know about Shor’s. :/ sorry.

Although I’m willing to bet that it requires an exponential amount of correction qbits.

JackbyDev@programming.dev on 26 Jun 21:36 next collapse

The idea that people use quantum computers against meshtastic nodes is pretty funny to me. I think meshtastic attracts a certain kind of person who is security minded and maybe even prepper adjacent (like ham radio tends to). That leads to some odd things like worrying about nation states attacking their nodes.

To be clear, I’m not saying better security isn’t worth it, nor am I saying it wouldn’t ever happen, but the idea that folks are hiding things that important on meshtastic is a little silly to me. I think their biggest threat is other hobbyists. Not nation states.

redsand@lemmy.dbzer0.com on 27 Jun 04:20 collapse

It’s mostly the issue of saving transmissions for later. Very much not a high priority but solid future planning in the face of governments plagiarizing Orwell and Huxley.

Socsa@sh.itjust.works on 27 Jun 20:24 collapse

It’s also not that hard to implement. It’s just a slightly different algorithm.

Also it’s not an industry scam - literally the only standard out so far is from NIST.