PatchSiren cyber security CVE debrief
CVE-2024-47121 goTenna CVE debrief
The goTenna Pro App (versions 1.6.1 and earlier) uses a weak password for sharing encryption keys via the optional RF key broadcast method. An attacker who captures the broadcasted encryption key over RF and successfully cracks the password via brute force can decrypt that key, enabling decryption of all future and past messages sent via encrypted broadcast using that key. This vulnerability is confined to the RF broadcast feature; local QR code key sharing is not affected. The issue was disclosed by CISA on September 26, 2024, with an advisory update on October 17, 2024. goTenna has released patched versions (Android Pro v2.0.3+, iOS Pro v2.0.3+) and recommends using QR code key sharing, reducing broadcast power to 0.5 Watts, and implementing key rotation best practices as interim mitigations.
- Vendor
- goTenna
- Product
- Pro
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro devices for tactical or emergency communications, particularly those relying on encrypted broadcast messaging in contested RF environments. Security teams responsible for mobile device management and operational security for field personnel using mesh networking equipment.
Technical summary
The goTenna Pro App's optional RF-based encryption key broadcast uses a weak password that is susceptible to brute force attacks. An attacker within RF range who captures the broadcast can crack the password, recover the encryption key, and subsequently decrypt all messages (past and future) encrypted with that key. The vulnerability does not affect QR code-based key sharing. CVSS 3.1: 5.3 (MEDIUM). Affected: goTenna Pro App ≤1.6.1. Fixed: Android Pro v2.0.3+, iOS Pro v2.0.3+.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro App to version 2.0.3 or greater for Android or iOS
- Use QR code-based encryption key sharing instead of RF broadcast for key distribution
- When RF broadcast is necessary, reduce transmit power to 0.5 Watts and operate from secured areas
- Implement regular encryption key rotation following industry best practices
- Use discreet callsigns and key names that do not reveal location, team size, or organizational information
- Apply strong endpoint security measures including encryption and regular software updates on all devices running the goTenna Pro App
- Contact goTenna Pro support at [email protected] for additional guidance
Evidence notes
CISA ICS Advisory ICSA-24-270-04 (Update A) documents the weak password vulnerability in the goTenna Pro App's RF key broadcast feature, CVSS 3.1 score of 5.3 (MEDIUM), and patched versions 2.0.3 or greater for Android and iOS.
Official resources
-
CVE-2024-47121 CVE record
CVE.org
-
CVE-2024-47121 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26