ChatterBox vs Meshtastic: Security
Security is a deep and multifaceted topic, but I will briefly describe some differences here.
ChatterBox
ChatterBox has 2 security models. The higher security, higher functionality model is private clusters. ChatterBox also offers a channels model, described in this doc.
Private Clusters
A cluster is a group of 2 or more ChatterBox devices that trust one another and assist in mesh-related functions.
Devices in a cluster share a common root (admin), and must be onboarded one time by that device, in-person and in proximity.
Devices are ignored & blocked from communication unless they are part of the private cluster.
Chain of Trust
All devices that the root device trusts become automatically trusted by other on-cluster devices.
Check the onboarding page for more details about this, but in essence a chain of trust, with root at the top, helps keep the cluster secure and private.
Frequency Hopping
The cluster automatically rotates frequencies every minute or so in an unpredictable pattern, determined by a key-dependent algorithm.
Not only does this keep off-cluster devices from seeing the traffic, but also lowers risk of interference & jamming.
When two devices exchange packets directly, each packet is transmitted on a different frequency, determined using an asymmetric-key dependent algorithm, meaning the pattern is specific to those two devices.
Encryption
Every message, ping, location, and mesh packet is encrypted during transmission.
Direct messages (one device to another) are encrypted asymmetrically, so even other devices assisting in delivery cannot decrypt.
Broadcast messages and pings are encrypted symmetrically, so all on-cluster devices are able to decrypt.
All sensitive data is symmetrically encrypted at rest using your password or device-generated key.
Digital Signatures
All messages are automatically digitally signed with the sender’s private key, using ECDSA. The signature follows the message all the way to the the recipient.
Thanks to the chain of trust, all devices on the cluster will automatically receive one another’s public keys, and be able to validate the signature.
The signature includes a timestamp element, so the freshness can be validated, along with the content.
For asymmetrically encrypted messages, any device in the cluster can validate the signature before meshing, even though it can’t decrypt the payload.
Data Storage
With private clusters, no keys are ever manually shared or even viewable. You cannot export or view any symmetric or private keys.
If you are using an SD card, all sensitive data and configuration is encrypted at rest, with a password you choose, or by a device-generated key if you don’t choose one.
Operating System
ChatterBox is a fully embedded firmware system. Depending on your device, it either uses Free RTOS or no OS.
Either way, there is simply no mechanism for an OS to analyze your data and decide whether to leak it or not. There is no way for the OS to suddenly decide to disable an “app” or lock / share your data.
The device is also not leaking your position and behavior to tech companies 24/7.
Meshtastic
Meshtastic has one security model, which is: if you know the single password, you are in the channel.
Meshtastic has no concept of invite-only groups, if you have the password, you’re in.
One symmetric key is responsible for channel-level encryption. This key is manually entered, by the user, into a phone or device.
This means human eyes and a phone’s OS have seen every symmetric key in Meshtastic.
Meshtastic has no concept of chain-of-trust. As mentioned before, there is no gate controlling who is allowed onto a channel.
If the single human-shared password is leaked or seen, the channel is compromised.
Meshtastic devices sit on a single frequency 24/7. This leaves it more susceptible to RF collision, whether intentional (jamming) or unintentional.
This also means with Meshtastic, a single frequency could be recorded over time and played back to a software system later, if the channel’s key is ever compromised.
Sitting on a single frequency makes it fairly easy to triangulate a Meshtastic device’s position.
Meshtastic primarily uses channel-level symmetric key encryption, where the key (password) is manually shared between people and entered into apps.
Meshtastic does allow asymmetric encryption in certain situations, if you manually exchange public keys, in person, between two devices. The process is not automatic, and likely too confusing for non-technical people to bother with.
Settings and data are stored on your mobile phone, so they are as secure as your OS allows.
Meshtastic supports some digital signature capability if you manually exchange public keys between devices.
As mentioned before, this is too confusing for most non-technical people to bother with.
Meshtastic stores your data with symmetric keys with Android and iOS.
Meshtastic is runs on Android and iOS. You can conveniently find it in the app stores.