PatchSiren cyber security CVE debrief
CVE-2024-47129 goTenna CVE debrief
CVE-2024-47129 is a medium-severity information disclosure vulnerability affecting the goTenna Pro App versions 1.6.1 and earlier. The application fails to inject padding characters into broadcasted frames, allowing adversaries with adjacent network access to determine message payload length regardless of encryption. This side-channel leakage could enable traffic analysis attacks where message length patterns reveal operational context. The vulnerability was disclosed by CISA on September 26, 2024, with an updated advisory published October 17, 2024. goTenna has released patched versions 2.0.3 or greater for both Android and iOS platforms. Organizations should prioritize updating Pro App deployments and implement complementary mitigations including discreet callsign selection, key rotation protocols, and layered encryption strategies.
- Vendor
- goTenna
- Product
- Pro
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations deploying goTenna Pro X and Pro X2 mesh networking equipment for tactical, emergency response, or critical infrastructure communications where operational security and message confidentiality are essential. Security teams responsible for mobile device management and encrypted communications infrastructure. Field operators relying on goTenna Pro systems in contested RF environments where traffic analysis poses intelligence risks.
Technical summary
The goTenna Pro App transmits broadcast frames without length-obfuscating padding, exposing ciphertext length to adjacent network observers. This side-channel vulnerability allows adversaries to infer payload size regardless of encryption strength, potentially enabling traffic analysis and operational pattern recognition. The flaw affects Pro App versions through 1.6.1 on Android and iOS. Remediation requires updating to version 2.0.3 or greater. Defense in depth should include operational security measures for callsign selection, secure key distribution via QR codes, reduced-power transmission, and layered encryption implementations.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro App to version 2.0.3 or greater for Android and iOS platforms
- Select callsigns and key names that do not disclose location, team size, or organizational identity
- Implement strong encryption and regular software updates on all end-user devices
- Establish regular encryption key rotation following industry best practices
- Exchange encryption keys via QR code rather than broadcast transmission
- When broadcasting keys, operate in secured areas at reduced 0.5 Watt power
- Deploy layered encryption keys for individual and team communications
- Contact [email protected] for technical assistance with remediation
Evidence notes
Vulnerability confirmed through CISA ICS advisory ICSA-24-270-04 with vendor-coordinated disclosure. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N reflects adjacent network attack vector with low attack complexity. Affected product explicitly identified as goTenna Pro App ≤1.6.1. Remediation versions 2.0.3 or greater specified for both Android and iOS platforms.
Official resources
-
CVE-2024-47129 CVE record
CVE.org
-
CVE-2024-47129 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26