PatchSiren cyber security CVE debrief
CVE-2024-47122 goTenna CVE debrief
CVE-2024-47122 documents a cryptographic weakness in the goTenna Pro App where encryption keys are stored alongside a static initialization vector (IV) on End User Devices (EUDs). This implementation flaw enables complete key recovery if an attacker gains physical access to a compromised device, subsequently allowing decryption of all encrypted broadcast communications. The vulnerability requires physical access (AV:P) and local privileges (PR:L), resulting in a CVSS 3.1 score of 4.3 (Medium). The issue was initially published by CISA on September 26, 2024, with an advisory update on October 17, 2024 that expanded vulnerability overview, affected products, and mitigation guidance. goTenna has released patched versions (Android Pro v2.0.3+, iOS Pro v2.0.3+) and recommends layered encryption, key rotation, QR-based key exchange, and reduced-power transmission (0.5W) when broadcasting keys.
- Vendor
- goTenna
- Product
- Pro
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations deploying goTenna Pro X and Pro X2 mesh networking devices for tactical, emergency response, or critical infrastructure communications where message confidentiality and operational security are required. Security teams responsible for mobile device management and cryptographic key lifecycle in field-deployed environments.
Technical summary
The goTenna Pro App (≤v1.6.1) implements AES encryption using a static IV stored alongside encryption keys on the End User Device. This cryptographic anti-pattern allows an attacker with physical device access to extract and decrypt all stored keys, compromising the confidentiality of past and future broadcast communications. The vulnerability is contingent on physical compromise of the EUD and does not enable remote exploitation. Remediation requires application update to v2.0.3+ and adoption of defense-in-depth measures including device-level encryption, operational security practices for key distribution, and reduced-power transmission protocols.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro App to version 2.0.3 or later on Android and iOS devices
- Implement full-disk encryption and strong device access controls on all End User Devices (EUDs)
- Rotate encryption keys according to industry best practices on a regular schedule
- Use QR codes for secure encryption key exchange rather than broadcast transmission
- When key broadcast is necessary, operate in secured areas at reduced power (0.5 Watts)
- Implement layered encryption for communications with individuals and teams
- Select discreet callsigns and key names that do not reveal location, team size, or organizational information
- Contact goTenna Pro support at [email protected] for additional guidance on secure operating procedures
Evidence notes
The vulnerability description and remediation guidance are derived from CISA CSAF advisory ICSA-24-270-04. The affected product is goTenna Pro App version 1.6.1 and earlier. CVSS vector AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N confirms physical access requirement. The October 17, 2024 update added operational mitigations including QR code key exchange and reduced-power transmission protocols.
Official resources
-
CVE-2024-47122 CVE record
CVE.org
-
CVE-2024-47122 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26