Skip to main content

CVE-2024-47121: CWE-521 Weak Password Requirements in goTenna Pro

Medium
VulnerabilityCVE-2024-47121cvecve-2024-47121cwe-521
Published: Thu Sep 26 2024 (09/26/2024, 17:18:03 UTC)
Source: CVE
Vendor/Project: goTenna
Product: Pro

Description

The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.

AI-Powered Analysis

AILast updated: 06/26/2025, 01:30:46 UTC

Technical Analysis

CVE-2024-47121 identifies a weakness in the goTenna Pro application related to its password requirements for sharing encryption keys via the key broadcast method over radio frequency (RF). Specifically, the vulnerability stems from the use of weak passwords protecting the broadcasted encryption keys. An attacker capable of capturing the broadcasted key over RF can attempt a brute force attack against the weak password. If successful, the attacker can decrypt the encryption key and subsequently decrypt all messages sent via encrypted broadcast with that key, both past and future communications. This vulnerability only applies when the optional key broadcast feature is used; the application also supports a more secure local QR code-based encryption key sharing method, which is recommended to mitigate this risk. The CVSS 4.0 vector indicates that the attack requires adjacent network access (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and results in high confidentiality impact (VC:H) but no impact on integrity or availability. The vulnerability is classified under CWE-521, which concerns weak password requirements. No known exploits are reported in the wild, and no patches have been released at the time of this report. The weakness primarily affects the confidentiality of communications transmitted via the vulnerable broadcast method over RF, potentially compromising sensitive data if exploited.

Potential Impact

For European organizations using goTenna Pro devices, particularly those relying on the RF key broadcast feature, this vulnerability poses a significant confidentiality risk. Organizations in sectors such as emergency services, logistics, defense, and critical infrastructure that utilize goTenna Pro for secure communication could have sensitive operational data exposed if an attacker captures and brute forces the weak password protecting the broadcasted encryption key. The ability to decrypt both past and future messages amplifies the potential damage, allowing attackers to conduct prolonged surveillance or intelligence gathering. Although the attack complexity is high and requires physical proximity to capture RF signals, the lack of required privileges or user interaction lowers the barrier for exploitation by motivated adversaries. The impact is less severe if organizations have adopted the recommended QR code-based key sharing or disabled the broadcast feature. However, failure to do so could lead to data breaches, operational disruption, or compromise of confidential communications, which may have regulatory and reputational consequences under European data protection laws such as GDPR.

Mitigation Recommendations

European organizations should immediately assess their use of the goTenna Pro application and specifically verify whether the RF key broadcast feature is enabled. If enabled, it is strongly recommended to disable this feature and switch to local QR code-based encryption key sharing, which is more secure and not vulnerable to RF interception. Organizations should enforce strong password policies for any encryption keys used within the application to prevent brute force attacks. Additionally, physical security measures should be enhanced to limit adversaries' ability to capture RF broadcasts, including restricting access to areas where goTenna Pro devices operate and monitoring for unauthorized RF scanning equipment. Regular audits and training should be conducted to ensure users understand the risks of using weak passwords and insecure key sharing methods. Finally, organizations should monitor for updates from goTenna for patches addressing this vulnerability and apply them promptly once available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
icscert
Date Reserved
2024-09-18T21:32:27.324Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d9838c4522896dcbebed1

Added to database: 5/21/2025, 9:09:12 AM

Last enriched: 6/26/2025, 1:30:46 AM

Last updated: 7/15/2025, 6:40:26 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats