Project Security Model
A serious assessment of the security model, its implemented defenses, and the risks organizers should be aware of.
CRITICAL WARNING
This system is designed for authenticated public communication, not for secrecy. All messages should be considered public. The primary security goal is to ensure that messages from an "Organizer" are authentic and that the network is resilient to common attacks. Do not transmit information that could endanger individuals if it were intercepted.
Defenses Implemented
Message Authentication (Anti-Impersonation): Every message is protected by an HMAC-SHA256 signature. This proves that the message was sent by a node possessing the secret mesh key (i.e., an Organizer or trusted node) and has not been tampered with. This is the core defense against an adversary injecting fake "Organizer" messages.
Message Confidentiality (Anti-Eavesdropping): The entire message payload (including the HMAC) is encrypted using AES-CTR. This prevents a passive eavesdropper from reading the content of your messages just by listening to the radio traffic.
Strong Key Derivation (Anti-Brute-Force): The human-readable Organizer Password is not used directly. It is "stretched" using a 1000-iteration PBKDF2-lite (HMAC-SHA256) function to create a strong 128-bit cryptographic key. This makes it computationally expensive for an attacker to guess the password, even if they capture a message.
Replay Attack Prevention: Each node maintains a cache of recently seen messages. This prevents an attacker from capturing a valid, encrypted message and re-broadcasting it hundreds of times to flood the network (a Denial-of-Service attack).
Real-Time Threat Detection
The firmware doesn't just protect data; it actively monitors its environment for attacks and logs them to Non-Volatile Memory (NVM). Organizers can view these forensic logs from the web interface.
Advanced Jamming Detection: The system uses a two-factor mechanism. It first detects a prolonged loss of valid packets from peers. Then, it activates a promiscuous "sniffer" mode to sample the channel's raw noise floor (RSSI). This allows it to intelligently distinguish between true RF jamming (high noise) and a situation where peers are simply offline (low noise).
Infiltration Attempt Detection: The firmware monitors all organizer password updates. If it detects multiple, conflicting passwords being broadcast in a short time window, it flags an "Infiltration Alert." This is a direct defense against an attacker trying to hijack the mesh by broadcasting a fake password.
HMAC Failure Logging: Any message that arrives but fails its HMAC authentication check is silently dropped and its sender's MAC is logged. This provides a clear, persistent record of tampering or impersonation attempts.
Protections That Cannot Be Guaranteed
Sender Anonymity: Anonymity CANNOT be guaranteed. When a user connects to a node's Wi-Fi, their phone broadcasts its unique MAC address. While messages are rebroadcast from the node's MAC, a sophisticated adversary with tracking equipment could correlate signals and log connections. Assume all connections are traceable.
Resistance to Sophisticated Attacks: The ESP32 is a low-cost device. It is vulnerable to advanced radio frequency (RF) attacks, targeted physical seizure, and hardware "side-channel" attacks that can extract keys stored in flash memory. This is a "best-effort" system, not a military-grade one.
Protection from Internet Censorship: This is a localized "offline" mesh network. It CANNOT connect users to the open internet or bypass wide-area network blocks. Its utility is strictly for local communication between participants at the event.
Organizer Responsibility (Operational Security)
The efficacy of this mesh relies heavily on the operational security (OPSEC) practices of the deploying organization.
- "Secure Mode" vs. "Compatibility Mode": The "Compatibility Mode" (web flash) is inherently insecure during its initial setup, as the first password is broadcast using a known key. An attacker can listen for this. Use the "Secure Mode" (Offline Flasher Kit) for any real-world deployment where direct hostility is likely. Steps are taken to make compatibility mode a headache to abuse, but in the end it's inherently insecure.
- Physical Security: Secure your physical ESP32 devices. A device in hostile hands is a compromised device. An attacker can extract the mesh key from a captured device.
- Key Compromise Response: If an ESP32 device is lost, seized, or suspected of being compromised, you MUST assume the entire mesh key is exposed. The only solution is to reflash the *entire fleet* of remaining devices with a new, secure key generated by the Offline Flasher Kit.
- Use Common Sense: Do not blindly follow directions sent over the mesh—even "Organizer" messages—if they seem suspicious, out of character, or direct participants toward danger. Always have a non-technical backup plan for critical communications.