Gotenna: >> Gotenna Security Vulnerabilities
The goTenna Pro ATAK Plugin's default settings are to share Automatic
Position, Location, and Information (PLI) updates every 60 seconds once
the plugin is active and goTenna is connected. Users that are unaware of
their settings and have not activated encryption before a mission may
accidentally broadcast their location unencrypted. It is advised to
verify PLI settings are the desired rate and activate encryption prior
to mission. Update to the latest Plugin to disable this default setting.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK plugin uses a weak password for sharing encryption
keys via the key broadcast method. If the broadcasted encryption key is
captured over RF, and password is cracked via brute force attack, it is
possible to decrypt it and use it to decrypt all future and past
messages sent via encrypted broadcast with that particular key. This
only applies when the key is broadcasted over RF. This is an optional
feature, so it is advised to use local QR encryption key sharing for
additional security on this and previous versions.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK Plugin does not use SecureRandom when generating
passwords for sharing cryptographic keys. The random function in use
makes it easier for attackers to brute force this password if the
broadcasted encryption key is captured over RF. This only applies to the
optional broadcast of an encryption key, so it is advised to share the
key with local QR code for higher security operations.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-09-26
In the goTenna Pro ATAK Plugin there is a vulnerability that makes it
possible to inject any custom message with any GID and Callsign using a
software defined radio in existing goTenna mesh networks. This
vulnerability can be exploited if the device is being used in an
unencrypted environment or if the cryptography has already been
compromised. It is advised to use encryption shared with local QR code
for higher security operations.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK Plugin encryption key name is always sent
unencrypted when the key is sent over RF through a broadcast message. It
is advised to share the encryption key via local QR for higher security
operations.
CVSS Score
4.3
EPSS Score
0.0
Published
2024-09-26
The goTenna Pro ATAK Plugin uses AES CTR type encryption for short,
encrypted messages without any additional integrity checking mechanisms.
This leaves messages malleable to an attacker that can access the
message. It is advised to continue to use encryption in the plugin and
update to the current release for enhanced encryption protocols.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-09-26
Page 2