CVE-2024-47125 goTenna CVE debrief

Who should care

Organizations using goTenna Pro X and Pro X2 devices for tactical, emergency, or off-grid communications, including public safety agencies, military units, disaster response teams, and private security operations relying on authenticated message integrity.

Technical summary

The goTenna Pro App's failure to validate public keys creates a cryptographic authentication bypass. An attacker within radio transmission range can exploit this to forge or modify messages without authentication, compromising message integrity and confidentiality. The attack requires adjacent network access (AV:A) but no privileges or user interaction, with low attack complexity. Remediation involves updating to version 2.0.3, which implements proper public key authentication within enhanced encryption protocols.

Defensive priority

HIGH

Recommended defensive actions

• Update goTenna Pro App to version 2.0.3 or later on Android and iOS devices
• Use discreet callsigns and key names that do not reveal location, team size, or operational details
• Implement strong endpoint security measures including device encryption and regular software updates
• Rotate encryption keys according to industry best practices
• Exchange encryption keys via QR code rather than broadcast transmission
• When broadcasting keys is necessary, operate from secured areas at reduced 0.5 Watt power
• Apply layered encryption for communications with individuals and teams
• Contact goTenna Pro support at [email protected] for technical assistance

Evidence notes

The source advisory confirms affected versions through CSAFPID-0001 (goTenna Pro App ≤1.6.1) and specifies remediation versions 2.0.3 or greater for both platforms.

Official resources