PatchSiren cyber security CVE debrief
CVE-2024-41931 goTenna CVE debrief
A medium-severity vulnerability in the goTenna Pro ATAK Plugin allows encryption key names to be transmitted unencrypted over RF broadcast, potentially exposing sensitive operational metadata to nearby adversaries within radio range.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro ATAK Plugin for tactical or field communications, including emergency response teams, military units, law enforcement, and private security operations where RF emissions may be monitored by adversaries.
Technical summary
The goTenna Pro ATAK Plugin transmits encryption key names in cleartext when broadcasting keys over RF. This information disclosure occurs regardless of whether the key material itself is protected, exposing metadata that could aid adversaries in mapping communication structures, identifying team composition, or inferring operational context. The vulnerability is exploitable by any receiver within RF range without authentication. Attack complexity is low, and no user interaction is required. The primary risk is operational security degradation rather than direct key compromise. Mitigation centers on alternative key distribution methods (QR code exchange), operational practices (discreet naming conventions, reduced broadcast power), and software updates to version 2.0.7 or later.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro ATAK Plugin to version 2.0.7 or greater to address this vulnerability
- Use QR code-based key exchange instead of RF broadcast for sharing encryption keys in high-security operations
- Select discreet callsigns and key names that do not reveal location, team size, or organizational identity
- Implement strong endpoint security measures including device encryption and regular software updates
- Establish and follow encryption key rotation schedules per industry best practices
- When RF broadcast is necessary, operate from secured areas at reduced power (0.5 Watts) to limit signal exposure
- Deploy layered encryption keys to compartmentalize communications between individuals and teams
- Review goTenna secure operating best practices for additional operational security guidance
Evidence notes
CISA ICS advisory ICSA-24-270-05 (Update A, 2024-10-17) documents that encryption key names are sent in cleartext during RF broadcast operations. The advisory was updated on 2024-10-17 to refine vulnerability overview and mitigation guidance. CVSS 3.1 score of 4.3 (Medium) reflects adjacent network attack vector with low confidentiality impact.
Official resources
-
CVE-2024-41931 CVE record
CVE.org
-
CVE-2024-41931 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26