CVE-2024-47122

Insecure Storage of Sensitive Information in goTenna Pro

Description

In the goTenna Pro App, the encryption keys are stored along with a static IV on the End User Device (EUD). This allows for complete decryption of keys stored on the EUD if physically compromised. This allows an attacker to decrypt all encrypted broadcast communications based on encryption keys stored on the EUD. This requires access to and control of the EUD, so it is recommended to use strong access control measures and layered encryption on the EUD for more secure operation.

Remediation

Solution:

  • goTenna recommends that users mitigate these vulnerabilities by performing the following updates: * Android Pro: v2.0.3 or greater * iOS Pro: v2.0.3 or greater

Workaround:

  • goTenna recommends that users follow these mitigations: General Mitigations for All Users/Clients * Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team. * Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates. * Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security. Pro-Specific Mitigations * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys. * Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure. * Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams. If you have any questions please contact prosupport@gotenna.com. goTenna recommends users follow their secure operating best practices https://support.gotennapro.com/s/article/Secure-Operating

Category

5.1
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.02%
Third-Party Advisory cisa.gov
Affected: goTenna Pro
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 third party advisory us government resource government resource

Frequently Asked Questions

What is the severity of CVE-2024-47122?
CVE-2024-47122 has been scored as a medium severity vulnerability.
How to fix CVE-2024-47122?
To fix CVE-2024-47122: goTenna recommends that users mitigate these vulnerabilities by performing the following updates: * Android Pro: v2.0.3 or greater * iOS Pro: v2.0.3 or greater
Is CVE-2024-47122 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-47122 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47122?
CVE-2024-47122 affects goTenna Pro.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.