PatchSiren cyber security CVE debrief
CVE-2024-43814 goTenna CVE debrief
The goTenna Pro ATAK Plugin (versions ≤1.9.12) ships with a default configuration that automatically broadcasts Position, Location, and Information (PLI) updates every 60 seconds once the plugin is active and a goTenna device is connected. This behavior occurs without requiring explicit user opt-in or encryption activation. Users who are unaware of these settings and have not enabled encryption prior to mission operations may inadvertently transmit their location data in cleartext, exposing operational positions to passive interception within radio range. The vulnerability is classified as MEDIUM severity (CVSS 3.1: 4.3) with an attack vector of adjacent network, reflecting the requirement for proximity to the broadcast signal. The issue was initially published on September 26, 2024, with an advisory update on October 17, 2024 that refined the vulnerability overview and mitigation guidance. goTenna has addressed this in plugin version 2.0.7 or greater, which disables the automatic PLI default.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Military, law enforcement, emergency response, and private security teams using goTenna Pro ATAK Plugin for tactical communications where operational security and location privacy are critical.
Technical summary
The goTenna Pro ATAK Plugin's default configuration automatically transmits PLI updates every 60 seconds without requiring encryption activation. This creates a window where unaware users may broadcast location data in cleartext. The fix in v2.0.7+ removes this default behavior, requiring explicit user configuration.
Defensive priority
medium
Recommended defensive actions
- Update the goTenna Pro ATAK Plugin to version 2.0.7 or greater to disable the automatic PLI broadcast default
- Verify PLI settings are configured to the desired update rate before mission operations
- Activate encryption prior to any mission and confirm key distribution is complete
- Use discreet callsigns and key names that do not reveal location, team size, or team composition
- Implement strong security measures on all end-user devices including encryption and regular software updates
- Follow encryption key rotation best practices to maintain ongoing communications security
- For key exchange, utilize QR codes and transmit at reduced power (0.5 Watts) from a secured area
- Implement layered encryption keys to manage secure communications with individuals and teams
Evidence notes
CISA ICS Advisory ICSA-24-270-05 (Update A) documents the default PLI broadcast behavior and the fix in ATAK Plugin v2.0.7. The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N is confirmed in the source CSAF document.
Official resources
-
CVE-2024-43814 CVE record
CVE.org
-
CVE-2024-43814 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26