goTenna Pro ATAK Plugin versions 1.9.12 and earlier contain multiple cryptographic weaknesses (CWE-521, CWE-922, CWE-353, CWE-319, CWE-338) that allow attackers within local or RF range to compromise the confidentiality of encrypted communications. Weaknesses include poor entropy in key generation, insecure key storage, weak encryption algorithms, and insecure key exchange methods. An attacker with physical or local network proximity can passively eavesdrop on or actively intercept messages between field personnel, exposing sensitive operational information, locations, and team composition. These vulnerabilities are not remotely exploitable and require the attacker to be within RF range or on the same local network as affected devices.
What this means
What could happen
An attacker with physical or local network access to goTenna Pro devices could intercept or eavesdrop on encrypted communications, compromising the confidentiality of team location, operational status, and mission-critical messages transmitted between field personnel.
Who's at risk
Tactical teams using goTenna Pro radios with ATAK plugin for field communications, including emergency responders, utility dispatch crews, and field operations personnel in critical infrastructure sectors. Any organization relying on goTenna Pro for secure team communications is affected.
How it could be exploited
An attacker must be within RF range or on the same local network as goTenna Pro devices running the affected ATAK plugin. The attacker can then passively capture or actively intercept communications due to weaknesses in encryption key generation, storage, or exchange, allowing them to read encrypted messages without authentication.
Prerequisites
Local or RF proximity to goTenna Pro devices
ATAK plugin version 1.9.12 or earlier installed
No user credentials or special configuration required for passive eavesdropping
Encryption weaknesses (poor key generation, storage, or exchange)Low complexity exploitationLocal/RF proximity required (reduces remote risk but common in field operations)Affects operational communications confidentialityDefault or weak key configurations may be common
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
goTenna Pro ATAK Plugin: <=1.9.12≤ 1.9.122.0.7
Remediation & Mitigation
0/8
Do now
0/3
HARDENINGUse only non-descriptive callsigns and key names that do not reveal location, team composition, or operational details
WORKAROUNDExchange encryption keys using secure methods such as QR codes rather than over-the-air transmission
WORKAROUNDWhen broadcasting, transmit at reduced power (0.5 Watts) from secured areas to limit RF exposure range
Schedule — requires maintenance window
0/4
Patching may require device reboot — plan for process interruption
HOTFIXUpdate goTenna Pro ATAK Plugin to version 2.0.7 or greater
HARDENINGRotate encryption keys regularly and follow industry key management best practices
HARDENINGImplement layered encryption with multiple keys for different communication groups
HARDENINGEnsure end-user devices (phones, tablets, laptops) running ATAK are kept fully patched and use device-level encryption
Long-term hardening
0/1
HARDENINGPhysically secure goTenna Pro devices and restrict access to personnel with a need-to-know