Jp-Bennett

**Name of the Vulnerable Software and Affected Versions** Meshtastic versions 2.5.0 through 2.6.10 **Description** Meshtastic is an open source mesh networking solution. The flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those messages could be captured and decrypted by an attacker that has compiled the list of compromised keys. **Recommendations** For versions 2.5.0 through 2.6.10, update to version 2.6.11 or later, where key generation is delayed until the first time the LoRa region is set, along with warning users when a compromised key is detected. As a temporary workaround for versions 2.5.0 through 2.6.10, consider doing a complete device wipe to remove vendor-cloned keys.