goTenna Pro X and Pro X2 (Update A)

Plan PatchCVSS 9.6ICS-CERT ICSA-24-270-04Sep 26, 2024

Mitsubishi Electric

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

goTenna Pro App versions 1.6.1 and earlier contain multiple cryptographic and information disclosure vulnerabilities (CWE-521, CWE-922, CWE-353, CWE-319, CWE-923, CWE-338, CWE-1390, CWE-201, CWE-204, CWE-306) that could allow an attacker with local network or radio proximity to compromise the confidentiality and integrity of communications between affected devices. These vulnerabilities are not remotely exploitable and require local/adjacent network access.

What this means

What could happen

An attacker with physical or local network proximity could intercept and decrypt communications between goTenna Pro devices, compromising the confidentiality and integrity of sensitive operational data exchanged through these radios.

Who's at risk

Operators and emergency responders who rely on goTenna Pro radios for tactical or remote site communications, particularly in utilities, public safety, and emergency response sectors where secure off-grid communication is critical for coordinating equipment operations or emergency response.

How it could be exploited

An attacker within radio range or on the same local network as a goTenna Pro device could perform a man-in-the-middle attack or eavesdropping attack to intercept unencrypted or weakly encrypted communications. The attacker does not need valid credentials or user interaction.

Prerequisites

Physical or local network proximity to the goTenna Pro device
Device running goTenna Pro App version 1.6.1 or earlier

Critical severity (CVSS 9.6)Low complexity attackNo authentication requiredAffects confidentiality and integrity of communications

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

goTenna Pro App: <=1.6.1≤ 1.6.1No fix yet

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGUse non-descriptive callsigns and key names that do not reveal location, team composition, or other sensitive information

WORKAROUNDWhen broadcasting sensitive information, transmit at reduced power (0.5 Watts) to limit radio range and exposure

HARDENINGExchange encryption keys using QR code method instead of other means to ensure secure key distribution

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Android Pro app to version 2.0.3 or greater

HOTFIXUpdate iOS Pro app to version 2.0.3 or greater

Long-term hardening

0/2

HARDENINGImplement key rotation schedule and rotate encryption keys regularly according to industry best practices

HARDENINGImplement layered encryption keys for team communications to add defense depth

CVEs (10)

CVE-2024-47121 CVE-2024-47122 CVE-2024-47123 CVE-2024-47124 CVE-2024-47125 CVE-2024-47126 CVE-2024-47127 CVE-2024-47128 CVE-2024-47129 CVE-2024-47130

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/679d8a82-914a-421e-b307-3ba9a3fb18ce

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.