From c02ef22e1dbca0a70c1b75fec09ef5dc3a138a37 Mon Sep 17 00:00:00 2001
From: Stephen Waits <steve@waits.net>
Date: Mon, 11 May 2026 17:26:01 -0600
Subject: [PATCH] fix(bridge): refuse to start ESPNowBridge with default secret

---
 src/helpers/bridges/ESPNowBridge.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/helpers/bridges/ESPNowBridge.cpp b/src/helpers/bridges/ESPNowBridge.cpp
index b9eb1c105c..dfa110235e 100644
--- a/src/helpers/bridges/ESPNowBridge.cpp
+++ b/src/helpers/bridges/ESPNowBridge.cpp
@@ -27,6 +27,15 @@ ESPNowBridge::ESPNowBridge(NodePrefs *prefs, mesh::PacketManager *mgr, mesh::RTC
 }
 
 void ESPNowBridge::begin() {
+  // Refuse to start with the published-in-source default secret, or an empty one.
+  // The repeating-key XOR used by xorCrypt() is already weak; combined with the
+  // default secret "LVSITANOS" it is no protection at all. Operator must set a
+  // non-default bridge_secret via CLI before this bridge will run.
+  if (_prefs->bridge_secret[0] == 0 || strcmp(_prefs->bridge_secret, "LVSITANOS") == 0) {
+    BRIDGE_DEBUG_PRINTLN("ESPNowBridge: refusing to start with default/empty bridge_secret\n");
+    return;
+  }
+
   BRIDGE_DEBUG_PRINTLN("Initializing...\n");
 
   // Initialize WiFi in station mode