CVE-2024-47124 goTenna CVE debrief

Who should care

Organizations using goTenna Pro X and Pro X2 devices for tactical, emergency response, or field operations where callsign confidentiality protects personnel safety, operational security, or team composition details. Particularly relevant for public safety, military, and disaster response users whose callsigns may reveal sensitive organizational information.

Technical summary

The goTenna Pro App transmits callsigns in cleartext within message metadata, even when message content encryption is active. This information disclosure vulnerability allows adjacent network attackers (within radio transmission range) to harvest callsigns without authentication. The issue affects app versions through 1.6.1. Resolution in v2.0.3+ applies AES-256 encryption to callsigns during encrypted operations, closing the metadata exposure gap.

Defensive priority

medium

Recommended defensive actions

• Update goTenna Pro App to version 2.0.3 or later on Android and iOS devices to enable AES-256 encryption for callsigns
• Avoid using sensitive information in callsigns and key names until update is applied; do not include location, team size, or team identifiers
• Implement strong security measures on end-user devices including encryption and regular software updates
• Rotate encryption keys regularly according to industry best practices
• Use QR codes for secure exchange of encryption keys rather than broadcast transmission
• When broadcasting is necessary, operate from secured areas at reduced power (0.5 Watts) to limit exposure
• Implement layered encryption keys for managing communications with individuals and teams
• Contact goTenna Pro support at [email protected] for assistance with secure operating procedures

Evidence notes

Advisory ICSA-24-270-04 confirms affected product as goTenna Pro App ≤1.6.1. Remediation guidance specifies v2.0.3 or greater for both Android and iOS platforms. Vendor contact: [email protected].

Official resources