These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A critical vulnerability in the goTenna Pro App allows unauthenticated attackers to remotely update local public keys used for peer-to-peer and group messaging, potentially enabling message interception or impersonation. The issue affects goTenna Pro App versions 1.6.1 and earlier. CISA published this advisory on September 26, 2024, with an update on October 17, 2024 that revised the vulnerability overvie [truncated]
CVE-2024-47129 is a medium-severity information disclosure vulnerability affecting the goTenna Pro App versions 1.6.1 and earlier. The application fails to inject padding characters into broadcasted frames, allowing adversaries with adjacent network access to determine message payload length regardless of encryption. This side-channel leakage could enable traffic analysis attacks where message length patt [truncated]
A medium-severity information disclosure vulnerability in the goTenna Pro App allows encryption key names to be transmitted unencrypted over RF when shared via broadcast message. The vulnerability, published September 26, 2024, affects goTenna Pro App versions 1.6.1 and earlier on both Android and iOS platforms. The CVSS 3.1 score of 4.3 reflects adjacent network attack vector with low attack complexity a [truncated]
CVE-2024-47127 is a medium-severity vulnerability (CVSS 6.5) in the goTenna Pro App that enables message injection attacks against goTenna mesh networks. Published by CISA on September 26, 2024, and updated on October 17, 2024, this vulnerability allows an attacker with a software-defined radio to inject arbitrary messages with spoofed GIDs and callsigns into existing mesh networks. The attack is viable w [truncated]
goTenna Pro App versions 1.6.1 and earlier fail to authenticate public keys, enabling unauthenticated attackers to manipulate messages in transit. The vulnerability stems from insufficient cryptographic verification, allowing adversaries within radio range to inject or alter communications without possessing valid credentials. CISA published this advisory on September 26, 2024, with an update on October 1 [truncated]
goTenna Pro App versions 1.6.1 and earlier fail to encrypt callsigns in messages, exposing potentially sensitive identifier information to network observers within radio range. The vulnerability stems from cleartext transmission of callsign metadata even when message encryption is enabled. CISA published this advisory on September 26, 2024, with an update on October 17, 2024 revising the vulnerability ove [truncated]
## Summary goTenna Pro App versions 1.6.1 and earlier use AES-CTR encryption for short encrypted messages without integrity checking mechanisms, leaving messages vulnerable to malleability attacks by adversaries with message access. This cryptographic weakness allows message modification without detection. The vulnerability was disclosed by CISA on September 26, 2024, with an advisory update on October 17 [truncated]
CVE-2024-47122 documents a cryptographic weakness in the goTenna Pro App where encryption keys are stored alongside a static initialization vector (IV) on End User Devices (EUDs). This implementation flaw enables complete key recovery if an attacker gains physical access to a compromised device, subsequently allowing decryption of all encrypted broadcast communications. The vulnerability requires physical [truncated]
The goTenna Pro App (versions 1.6.1 and earlier) uses a weak password for sharing encryption keys via the optional RF key broadcast method. An attacker who captures the broadcasted encryption key over RF and successfully cracks the password via brute force can decrypt that key, enabling decryption of all future and past messages sent via encrypted broadcast using that key. This vulnerability is confined t [truncated]
The goTenna Pro ATAK Plugin (versions 1.9.12 and earlier) transmits callsigns in plaintext within encrypted messages, exposing potentially sensitive identifier information to network observers despite the message payload being encrypted. This represents a confidentiality gap where operational security assumptions about encrypted communications do not extend to participant identification metadata. The vend [truncated]
The goTenna Pro ATAK Plugin uses an insecure random number generator when creating passwords for cryptographic key sharing, enabling brute-force attacks against broadcasted encryption keys captured over RF. This vulnerability affects versions 1.9.12 and earlier. The issue was disclosed by CISA on September 26, 2024, with an advisory update on October 17, 2024.
The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is [truncated]
The goTenna Pro ATAK Plugin (versions ≤1.9.12) ships with a default configuration that automatically broadcasts Position, Location, and Information (PLI) updates every 60 seconds once the plugin is active and a goTenna device is connected. This behavior occurs without requiring explicit user opt-in or encryption activation. Users who are unaware of these settings and have not enabled encryption prior to m [truncated]
CVE-2024-43694 is a medium-severity vulnerability in the goTenna Pro ATAK Plugin affecting versions 1.9.12 and earlier. The issue involves encryption keys being stored alongside a static initialization vector (IV) on End User Devices (EUDs), enabling complete key decryption if the device is physically compromised. This cryptographic weakness allows an attacker with physical access to decrypt all encrypted [truncated]
goTenna Pro ATAK Plugin versions 1.9.12 and earlier use AES-CTR encryption for short messages without integrity checking mechanisms, leaving ciphertext malleable to attackers with message access. The vulnerability allows integrity compromise (CVSS 5.3 MEDIUM) but does not enable confidentiality breaches or availability impacts. CISA published this advisory on September 26, 2024, with an update on October [truncated]
A medium-severity vulnerability in the goTenna Pro ATAK Plugin allows encryption key names to be transmitted unencrypted over RF broadcast, potentially exposing sensitive operational metadata to nearby adversaries within radio range.
A medium-severity vulnerability in the goTenna Pro ATAK Plugin allows message injection with arbitrary GID and Callsign values using software-defined radio in existing goTenna mesh networks. The vulnerability is exploitable when devices operate in unencrypted environments or when cryptography has been compromised. The issue was disclosed by CISA on September 26, 2024, with an update published October 17, [truncated]
A medium-severity information disclosure vulnerability exists in the goTenna Pro ATAK Plugin versions 1.9.12 and earlier. The plugin fails to inject padding characters into broadcasted frames, allowing adversaries with adjacent network access to infer payload length regardless of encryption strength. This side-channel leakage could aid traffic analysis and correlation attacks against tactical communicatio [truncated]
