CVE-2024-47123

Summary

The goTenna Pro App uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is recommended to continue to use encryption in the app and update to the current release for more secure operations.

Affected Software

VendorProductVersion RangeStatus
goTennaPro0 <= 1.61affected

Weaknesses

  • CWE-353: CWE-353 Missing Support for Integrity Check

Workarounds

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

  • Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.

  • Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.

  • Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

  • Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.

  • Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.

  • Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com.

goTenna recommends users follow their secure operating best practices https://support.gotennapro.com/s/article/Secure-Operating

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References