You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A malicious attacker can set up a modified repeater that accepts adverts and retransmits them with the same node name but a new public key.
Companion nodes will see duplicate nodes with different keys. A new user may not be aware of which node is the correct one, unless they learn about the public key out of band.
The malicious repeater can accept traffic to these fake nodes and forward traffic to the original node while being able to decrypt the traffic in between.
The attacker is now aware of room / repeater passwords and can log into them directly at a time that's convenient.
Fixes:
Rather than sending passwords as plaintext to initiate a session, consider using SPAKE2 to authenticate traffic to rooms & repeaters. The actual password is never sent over the air which at the very least would prevent an attacker from reusing a password later on. Going a step further, the shared AES key could be derived from the current public keys & combined with a SPAKE2 derived secret and block out MITM traffic sniffing entirely
Mitigations:
Ideally the companion node should do a better job at highlighting when multiple nodes share a name but have different keys. Something simple like displaying Node (1) and Node (2) would be enough to make people look twice.
Diceware style word encoding derived from a hash of the public cert and displayed in the contact details might be a useful way for users to establish trust. I'm never going to remember a public key that looks like "9bd1a3c00xxxxx", but I might remember something like "maple-raven-orbit-copper".
Fixes:
Mitigations: