DragonOS demo shows passive Meshtastic sniffer decoding and decrypting traffic

DragonOS Noble put a sharp security point on Meshtastic on June 4: a HackRF and meshtastic-sniffer were enough to passively watch traffic, and in the right setup, decode and decrypt it without joining the mesh. The video, framed as a fresh return to the project, matters because it shows how quickly a radio footprint can become observable once someone is listening the right way on DragonOS, the out-of-the-box Lubuntu-based SDR operating system for x86_64 users.

The sniffer itself is built for that job. Its README describes meshtastic-sniffer as a passive Meshtastic LoRa receiver written in C that runs two decode paths in parallel, a wideband channelizer and a focused decoder pool that wakes up on preamble detections. On a B205mini at 26 Msps, the project says it can cover the full US 902-928 MHz band with every channel decoded at once. It also pushes operator-facing output in JSON, MQTT, ZMQ, CoT, pcap and a web dashboard, while supporting HackRF, BladeRF, USRP, SDRplay, Airspy, RTL-SDR, SoapySDR devices, VITA-49 and VRT over UDP, and IQ file replay.

For operators, that is the warning sign. With keys supplied, meshtastic-sniffer says it can decrypt text messages, GPS positions, NodeInfo, telemetry, routing packets and ATAK PLI traffic. Meshtastic’s own documentation says LoRa payloads use AES256-CTR, but packet headers stay unencrypted so nodes can relay traffic they cannot read. The default primary channel key is the known key “AQ==” unless users change it, and direct messages use public-key cryptography. Meshtastic also warns that it lacks perfect forward secrecy, which makes “harvest now, decrypt later” a real risk if a channel key is exposed later. In a network that now lists 100-plus community-supported devices, more than 1,800 code contributors worldwide, 26 LoRa regions and 39 languages, that is not a narrow edge case.

DragonOS and WarDragon have shown Meshtastic decoding before, including a June 10, 2024 demo with RTL-SDR and GNU Radio. The June 2026 video pushes the same lesson further: passive monitoring is no longer theoretical, and the traffic that feels local and private on a mesh can be collected, indexed and replayed if channel discipline slips.