PatchSiren cyber security CVE debrief
CVE-2024-45374 goTenna CVE debrief
The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is advised to use local QR encryption key sharing for additional security on this and previous versions.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro ATAK Plugin for tactical communications, particularly those operating in contested RF environments where adversaries may possess signals intelligence capabilities. This includes military, law enforcement, emergency response, and critical infrastructure protection teams who rely on encrypted mesh networking for operational security.
Technical summary
The goTenna Pro ATAK plugin implements an optional RF-based encryption key broadcast feature that relies on a weak password for key protection. An attacker with RF capture capability who obtains the broadcasted key material can perform offline brute force attacks against the password. Successful password recovery enables decryption of the captured key, which can then be used to decrypt all past and future messages encrypted with that key across the broadcast group. The vulnerability is confined to the RF broadcast key sharing mechanism and does not affect QR code-based key sharing. CVSS 3.1 score of 5.3 (Medium) reflects the attack complexity requirements and adjacent network access vector.
Defensive priority
medium
Recommended defensive actions
- Update to ATAK Plugin v2.0.7 or greater to address the weak password vulnerability in key broadcast functionality
- Use QR code-based encryption key sharing instead of RF broadcast for key distribution
- Choose discreet callsigns and key names that do not disclose sensitive information such as location, team size, or team name
- Implement strong security measures on all end-user devices including encryption and regular software updates
- Follow encryption key rotation best practices to maintain ongoing security
- When RF broadcast is necessary, operate in secured areas and transmit at reduced power (0.5 Watts) to limit exposure
- Implement layered encryption keys to securely manage communications with individuals and teams
- Review goTenna's secure operating best practices documentation for additional operational security guidance
Evidence notes
CISA published advisory ICSA-24-270-05 on 2024-09-26, with Update A on 2024-10-17 revising the Vulnerability Overview and Mitigations sections. The advisory confirms affected versions as goTenna Pro ATAK Plugin <=1.9.12 and provides vendor remediation guidance.
Official resources
-
CVE-2024-45374 CVE record
CVE.org
-
CVE-2024-45374 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26