Mesh Network Security
2-hour workshop Free -- fortnightly in the L-A area
Learning Objectives
- Generate and manage secure PSK keys
- Enable and verify PKC for direct messages
- Explain CVE-2025-52464 and its implications
- Perform a basic threat model for a community mesh
- Follow operational security practices for key distribution
Part 1: Encryption Layers (25 min)
| Layer | Mechanism | Who Can Read |
|---|
| Channel | AES-256-CTR | All devices with PSK |
| Direct Message | X25519 + AES-256-CCM | Only recipient |
meshtastic --info # Check your device's public key
Part 2: PSK Management (25 min)
# Generate a 256-bit PSK
openssl rand -base64 32
# Apply to device
meshtastic --ch-set psk "<your-base64-psk>" --ch-index 0
| PSK | Bits | Security |
|---|
AQ== (default) | 8 | NONE -- publicly known |
| Short passphrase | ~40-60 | Weak |
| 16-byte random | 128 | Good |
| 32-byte random | 256 | Strong -- LA-Mesh standard |
Part 3: CVE-2025-52464 Case Study (20 min)
CVSSv4: 9.5 (Critical) -- Vendors cloned firmware images without regenerating keys, causing identical key pairs across thousands of devices.
Fix: Firmware v2.7.15+ forces key regeneration. LA-Mesh policy: no device below v2.7.15. v2.7.15 also fixes CVE-2025-24797, CVE-2025-55293, CVE-2025-55292, CVE-2025-53627 and enforces PKI-only DMs.
meshtastic --info | grep "Firmware"
Part 4: Threat Modeling (30 min)
| Actor | Capability | Likelihood |
|---|
| Curious neighbor | SDR receiver, basic skills | Medium |
| Local law enforcement | Professional RF equipment | Low-Medium |
| Sophisticated adversary | Full SDR suite, traffic analysis | Very Low |
| Prankster/troll | Meshtastic device | Medium |
Part 5: Operational Security (20 min)
- Enable PKC for direct messages (enforced in v2.7.15+)
- Use a device PIN/screen lock
- Disable GPS position sharing if OpSec requires it
- Monitor node list for unknown devices
- Keep firmware updated