CVE-2024-45723 goTenna CVE debrief

Who should care

Organizations using goTenna Pro ATAK Plugin for tactical communications, particularly military, law enforcement, emergency response, and critical infrastructure teams who rely on encrypted RF communications for operational security.

Technical summary

The goTenna Pro ATAK Plugin fails to use java.security.SecureRandom when generating passwords for cryptographic key sharing operations. Instead, it employs a less secure random function that reduces password entropy, enabling attackers to brute-force passwords if they capture the broadcasted encryption key over RF. This vulnerability specifically affects the optional RF broadcast feature for encryption key distribution. The affected product is goTenna Pro ATAK Plugin version 1.9.12 and earlier. CVSS 3.1 score: 6.5 (Medium).

Defensive priority

medium

Recommended defensive actions

• Update to ATAK Plugin version 2.0.7 or greater
• Use QR codes for local encryption key sharing instead of RF broadcast
• Implement discreet callsigns and key names that do not disclose location or team information
• Secure end-user devices with encryption and regular software updates
• Follow encryption key rotation best practices
• When broadcasting is necessary, operate in secured areas at reduced power (0.5 Watts)
• Implement layered encryption for communications management
• Contact [email protected] for questions regarding secure operating practices

Evidence notes

CISA ICS Advisory ICSA-24-270-05 (Update A) documents that the plugin fails to use SecureRandom for password generation, making brute-force attacks feasible against RF-captured encryption keys. The advisory was initially published September 26, 2024, and updated October 17, 2024.

Official resources