CVE-2024-43694
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| goTenna | Pro ATAK Plugin | 0 <= 1.9.12 | affected |
Weaknesses
- CWE-922: CWE-922 Insecure Storage of Sensitive Information
Workarounds
goTenna recommends that users follow these mitigations:
General Mitigations for All Users/Clients
Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.
Pro-Specific Mitigations
Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.
If you have any questions please contact prosupport@gotenna.com
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.