Meshtastic, Helium, and LoRaWAN have quietly built massive mesh networks across cities, often using default encryption keys that offer little more than security theater. This talk introduces an open-source ESP32-based passive reconnaissance tool that scans 26 LoRa configurations, captures packets, and automatically decrypts traffic using 23 known default PSKs.

We'll walk through building a budget friendly Heltec WiFi LoRa 32 V3 into a field-deployable sniffer with:

- Real-time packet capture with interrupt-driven reception
- Multi-protocol detection (Meshtastic, LoRaWAN/TTN, Helium Network)
- Automated PSK testing against default keys, including "AQ==" and legacy admin keys
- GPS coordinate extraction from position broadcasts
- Mobile-friendly web UI with threat-level network visualization
- PCAP export compatible with Wireshark

Live demo: We plan to power up the sniffer at CackalackyCon and see what's transmitting in in the nearby area, possibly discovering Meshtastic nodes, IoT sensors, and devices broadcasting with default encryption.

Key takeaways:

1. Why default PSKs in consumer mesh networks are a research goldmine
2. How to identify vulnerable devices using RSSI and traffic patterns
3. Defense strategies: key rotation, firmware updates, network segmentation
4. Ethics of passive RF reconnaissance (receive-only, legal framework)

All code is MIT-licensed open source. Attendees leave with a shopping list, flash instructions, and the knowledge to build their own reconnaissance platform tonight.

No prior LoRa experience required, just curiosity about what's transmitting around you.