Security

Certain Home Assistant servers can be remotely hacked with this tiny $22 radio

MeshCore cards for Home Assistant dashboards allow HTML delivered by mesh nodes to be rendered, potentially allowing the delivery of malicious payloads to the host.

Jordan Gloor

Jordan Gloor

4 min read
Share
The Lilygo T3 S3 device with an attached antenna on an orange background with a white fuzzy circle at the center.

Independent developer Sasha Romijn published a blog post today describing a vulnerability she discovered in Home Assistant dashboards with certain MeshCore-focused HACS software installed. The vulnerability lets mesh-connected node owners deliver malware to those HA server hosts.

Certain HA cards allow for mesh-delivered payloads

The vulnerability Romijn found allows anyone using a MeshCore device (called a "node") sending advertisements that reach someone running vulnerable versions of MeshCore Card on their Home Assistant (HA) dashboard to inject HTML into the card. When the HA user views the dashboard, the HTML is rendered, allowing the node owner to deliver a malicious payload to the HA host device.

sash (@sash@hachyderm.io)
I found that crafted #MeshCore node names could compromise #HomeAssistant instances running meshcore-card, with an XSS leading to remote root access on the HA host. An attacker could then access anything controlled or visible through Home Assistant. The attacker doesn’t need to be near the target, as MeshCore advertisements are repeated over the mesh, which is dense in NL. This also affects around 20 public MeshCore analyzer websites. Some of those run CoreScope, where it looks like a vibecoding bot broke the XSS filter while hallucinating a bugfix. The analyzers are mostly public data though. In addition, the less popular MeshCore-Home-Assistant-Panel-v2 is likely also affected, but I was unable to make contact with the maintainer. MeshCore node names are only 32 bytes, and each rendered in a different place in the page, so I had to be creative to run a more substantial payload. I found a way with three node names using an iframe feature I never heard of before. https://mxsasha.eu/posts/meshcore-xss-home-assistant/
Hachyderm.iosash

MeshCore Card is available to HA users through the Home Assistant Community Store (HACS). Also affected are similar cards carrying "panel-v2" labels and, to a lesser extent, several MeshCore analyzer websites.

How it works

To demonstrate, Romijn changed her node's name to <img src=//s42.re/p.pn> which, when rendered, placed an invisible tracking pixel. That's a rather innocuous attack, but she described in her blog post how the use of a DOM quirk could allow someone to remotely install and run malware that gives the attacker root access to a server displaying MeshCore Card, all by changing the MeshCore node names a few times.

This attack requires a LoRa-enabled radio device flashed with MeshCore firmware. The device Romijn used is a Lilygo T3 S3, which sells for $22 on Amazon right now. However, MeshCore firmware can be installed on all sorts of LoRa-capable devices.

  • A key here is that the attacker must be "seen" by the person running MeshCore Card. This is somewhat limited by geographical location, as MeshCore connectivity is affected by distance, buildings, land features, weather conditions, and more.
This $45 gadget turns your Linux PC into an off-grid chat node
With this radio module, you can get directly onto the Meshtastic network without need to flash anything.
New In LinuxJordan Gloor

There are LoRa mesh-compatible devices out there just for Linux users.

The patch status

While the MeshCore Card maintainer patched the vulnerability in early May with version 0.3.3, Romijn said she got no response from the maintainer of a similar project with the same vulnerability. She also wrote:

I have not coordinated disclosure with MeshCore analysis websites in advance, as the impact on them is more limited. I do not have enough details to contact individual affected Home Assistant users.

If you're a Home Assistant user with MeshCore add-ons, you should make sure MeshCore Card is up-to-date and/or remove the "v2-panel" varient to keep yourself safe. If you're maintaining a MeshCore analysis website, it's a good idea (though not urgent) to look into a patch.

Some background

For those not in the know, MeshCore is one of multiple open source LoRa-enabled mesh network-based communication systems, similar to the more well-known Meshtastic protocol. In MeshCore, an advertisement or "advert" allows you, the node owner, to announce your presence to the local mesh with your node's name. The name, though limited in length, can be anything you choose.

The Meshy application interface being used to edit the Device Name field on the node settings menu.
MeshCore client apps like Meshy (a Linux app) allow arbitrary changes to your node's name.

Home Assistant is a suite of self-hosted open source smart home tools, including a dashboard that lets you control and see data from all of your connected devices. There are countless installable "cards" for the HA dashboard, and MeshCore Card is one catering to MeshCore users who are interested to see which nodes are advertising to them.

Zooming out

Why this announcement matters: HA has a huge userbase within the self-hosted community. While MeshCore is a more niche hobby, this vulnerability demonstrates how open source projects can be abused. Lack of responsiveness from open source maintainers exacerbates the problem.

My take: I have MeshCore firmware installed right now on a Heltec V3 device. In my locale, though, I cannot reach anyone with my adverts and I've received no adverts from anyone else. That was disappointing to me, but in this moment it feels like a blessing.

Diving in

Go further: For the technical details, see Romijn's blog post.

Get patched: If you aren't sure how to update MeshCore Card, see Home Assistant's official documentation for updating HACS repositories.

Read more

Jordan Gloor © .