PatchSiren cyber security CVE debrief

CVE-2024-47123 goTenna CVE debrief

## Summary goTenna Pro App versions 1.6.1 and earlier use AES-CTR encryption for short encrypted messages without integrity checking mechanisms, leaving messages vulnerable to malleability attacks by adversaries with message access. This cryptographic weakness allows message modification without detection. The vulnerability was disclosed by CISA on September 26, 2024, with an advisory update on October 17, 2024. goTenna has released patched versions 2.0.3 or greater for both Android and iOS platforms. ## Technical Details The vulnerability stems from the use of AES-CTR (Counter Mode) encryption without accompanying message authentication. CTR mode provides confidentiality but no inherent integrity protection—an attacker with access to ciphertext can flip bits in predictable ways to alter plaintext meaning without knowing the encryption key. The absence of HMAC, GMAC, or other authenticated encryption constructs leaves the messaging protocol susceptible to chosen-ciphertext manipulation. CVSS 3.1 scoring reflects this as an integrity impact (I:H) with adjacent network attack vector (AV:A) and high attack complexity (AC:H), yielding a medium severity rating of 5.3. ## Affected Products - goTenna Pro App for Android: version 1.6.1 and earlier - goTenna Pro App for iOS: version 1.6.1 and earlier ## Remediation Users should update to goTenna Pro App version 2.0.3 or greater on both Android and iOS platforms. goTenna additionally recommends operational security measures: using discreet callsigns and key names that do not disclose location or team composition; securing end-user devices with encryption and regular updates; following encryption key rotation best practices; sharing encryption keys via QR code rather than broadcast; transmitting keys at reduced power (0.5 Watts) when broadcasting is necessary; and implementing layered encryption for team communications. ## Timeline - **2024-09-26**: CISA publishes initial advisory ICSA-24-270-04 - **2024-10-17**: CISA releases Update A with revisions to vulnerability overview, affected products, and mitigations

Vendor: goTenna
Product: Pro
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-09-26
Original CVE updated: 2024-10-17
Advisory published: 2024-09-26
Advisory updated: 2024-10-17

Who should care

Organizations and individuals using goTenna Pro devices for tactical, emergency, or off-grid communications where message integrity is critical. Security teams supporting public safety, military, and disaster response operations relying on goTenna mesh networks.

Technical summary

The goTenna Pro App employs AES-CTR mode encryption without message authentication codes or authenticated encryption modes. CTR mode transforms a block cipher into a stream cipher by encrypting sequential counter values and XORing with plaintext. While providing semantic security under chosen-plaintext attack, CTR mode offers no integrity guarantees—an attacker flipping ciphertext bits causes identical plaintext bit flips at corresponding positions. Without HMAC-SHA256, AES-GCM, or similar constructs, adversaries with message access can undetectably modify message content. The vulnerability affects short encrypted messages in app versions ≤1.6.1. Remediation in version 2.0.3+ presumably adds appropriate integrity mechanisms, though specific cryptographic improvements are not detailed in the advisory.

Defensive priority

medium

Recommended defensive actions

Update goTenna Pro App to version 2.0.3 or greater on all Android and iOS devices
Use discreet callsigns and key names that do not reveal location, team size, or team identity
Implement strong device security including encryption and regular software updates on all end-user devices
Rotate encryption keys regularly according to industry best practices
Exchange encryption keys via QR code rather than broadcast transmission when possible
When broadcasting keys is necessary, operate from secured areas at reduced power (0.5 Watts)
Implement layered encryption keys for secure individual and team communications
Contact [email protected] for additional assistance

Evidence notes

Advisory revision history confirms initial publication 2024-09-26 and Update A 2024-10-17. Remediation guidance specifies Android Pro v2.0.3 or greater and iOS Pro v2.0.3 or greater as patched versions.

Official resources

2024-09-26