PatchSiren cyber security CVE debrief
CVE-2024-47128 goTenna CVE debrief
A medium-severity information disclosure vulnerability in the goTenna Pro App allows encryption key names to be transmitted unencrypted over RF when shared via broadcast message. The vulnerability, published September 26, 2024, affects goTenna Pro App versions 1.6.1 and earlier on both Android and iOS platforms. The CVSS 3.1 score of 4.3 reflects adjacent network attack vector with low attack complexity and low confidentiality impact. An updated advisory was issued October 17, 2024, with revisions to the vulnerability overview, affected products, and mitigations sections. goTenna has released patched versions 2.0.3 or greater for both platforms.
- Vendor
- goTenna
- Product
- Pro
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro App for tactical or emergency communications, particularly in sensitive operational environments where RF emissions may be monitored or intercepted. This includes public safety agencies, military units, search and rescue teams, and critical infrastructure operators relying on mesh networking for off-grid communications.
Technical summary
The goTenna Pro App transmits encryption key names in cleartext when keys are shared over RF via broadcast messages. This information disclosure occurs regardless of the encryption status of the key material itself, exposing metadata that could aid adversaries in targeting or tracking operations. The vulnerability is exploitable from adjacent network positions with no privileges required and no user interaction needed. Attackers within RF range could intercept broadcast messages and obtain key names, potentially correlating them with operational patterns or identifying high-value targets. The recommended defensive posture prioritizes QR code-based key exchange over RF broadcast, supplemented by operational security measures including discreet naming conventions, reduced transmit power, and layered encryption strategies.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro App to version 2.0.3 or greater on Android and iOS devices
- Use QR code-based key exchange instead of RF broadcast for sharing encryption keys
- Select discreet callsigns and key names that do not reveal location, team size, or team identity
- Implement strong security measures on end-user devices including encryption and regular software updates
- Rotate encryption keys regularly according to industry best practices
- When RF broadcast is necessary, operate from secured areas at reduced power (0.5 Watts)
- Implement layered encryption keys for secure individual and team communications
- Follow goTenna secure operating best practices for Pro deployments
Evidence notes
The vulnerability description and remediation guidance are drawn from CISA ICS Advisory ICSA-24-270-04 (Update A), which was revised October 17, 2024. The advisory confirms the affected product as goTenna Pro App versions 1.6.1 and earlier, and specifies patched versions 2.0.3 or greater for Android Pro and iOS Pro.
Official resources
-
CVE-2024-47128 CVE record
CVE.org
-
CVE-2024-47128 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public