PatchSiren cyber security CVE debrief
CVE-2024-43694 goTenna CVE debrief
CVE-2024-43694 is a medium-severity vulnerability in the goTenna Pro ATAK Plugin affecting versions 1.9.12 and earlier. The issue involves encryption keys being stored alongside a static initialization vector (IV) on End User Devices (EUDs), enabling complete key decryption if the device is physically compromised. This cryptographic weakness allows an attacker with physical access to decrypt all encrypted broadcast communications using keys extracted from the device. The vulnerability was disclosed by CISA on September 26, 2024, with an update published October 17, 2024. goTenna has released ATAK Plugin version 2.0.7 or greater to address this issue. The attack requires physical access to and control of the EUD, limiting exploitability but maintaining significant impact for targeted scenarios involving device seizure or loss.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations deploying goTenna Pro ATAK Plugin in tactical, emergency response, or field operations where device physical security may be challenged; security teams responsible for mobile device management and encrypted communications infrastructure; and operators requiring assured confidentiality of broadcast communications in contested environments.
Technical summary
The goTenna Pro ATAK Plugin (versions ≤1.9.12) stores encryption keys with a static initialization vector on the End User Device. This cryptographic implementation flaw enables an attacker with physical device access to extract and decrypt all stored keys, subsequently allowing decryption of all encrypted broadcast communications. The vulnerability requires local physical access (AV:P) with low attack complexity. Remediation involves updating to ATAK Plugin v2.0.7+ and implementing defense-in-depth measures including device-level encryption, access controls, key rotation, and operational security practices for key distribution.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro ATAK Plugin to version 2.0.7 or greater as specified in vendor remediations.
- Implement strong physical access controls and device encryption on all End User Devices (EUDs) to mitigate physical compromise risk.
- Use discreet callsigns and key names that do not disclose location, team size, or team composition.
- Establish regular encryption key rotation following industry best practices.
- For Pro deployments, utilize QR code-based key exchange and transmit keys at reduced power (0.5 Watts) in secured areas only.
- Implement layered encryption for communications with individuals and teams.
- Contact [email protected] for additional assistance with secure operating procedures.
Evidence notes
Vulnerability description and remediation guidance sourced from CISA ICS Advisory ICSA-24-270-05 (Update A). CVSS 3.1 vector AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N confirms physical attack vector with high confidentiality impact. Affected product version confirmed as <=1.9.12; fixed version 2.0.7 or greater specified in vendor remediations.
Official resources
-
CVE-2024-43694 CVE record
CVE.org
-
CVE-2024-43694 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26