CVE-2024-47121: CWE-521 Weak Password Requirements in goTenna Pro
The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.
AI Analysis
Technical Summary
CVE-2024-47121 identifies a weakness in the goTenna Pro application related to its password requirements for sharing encryption keys via the key broadcast method over radio frequency (RF). Specifically, the vulnerability stems from the use of weak passwords protecting the broadcasted encryption keys. An attacker capable of capturing the broadcasted key over RF can attempt a brute force attack against the weak password. If successful, the attacker can decrypt the encryption key and subsequently decrypt all messages sent via encrypted broadcast with that key, both past and future communications. This vulnerability only applies when the optional key broadcast feature is used; the application also supports a more secure local QR code-based encryption key sharing method, which is recommended to mitigate this risk. The CVSS 4.0 vector indicates that the attack requires adjacent network access (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and results in high confidentiality impact (VC:H) but no impact on integrity or availability. The vulnerability is classified under CWE-521, which concerns weak password requirements. No known exploits are reported in the wild, and no patches have been released at the time of this report. The weakness primarily affects the confidentiality of communications transmitted via the vulnerable broadcast method over RF, potentially compromising sensitive data if exploited.
Potential Impact
For European organizations using goTenna Pro devices, particularly those relying on the RF key broadcast feature, this vulnerability poses a significant confidentiality risk. Organizations in sectors such as emergency services, logistics, defense, and critical infrastructure that utilize goTenna Pro for secure communication could have sensitive operational data exposed if an attacker captures and brute forces the weak password protecting the broadcasted encryption key. The ability to decrypt both past and future messages amplifies the potential damage, allowing attackers to conduct prolonged surveillance or intelligence gathering. Although the attack complexity is high and requires physical proximity to capture RF signals, the lack of required privileges or user interaction lowers the barrier for exploitation by motivated adversaries. The impact is less severe if organizations have adopted the recommended QR code-based key sharing or disabled the broadcast feature. However, failure to do so could lead to data breaches, operational disruption, or compromise of confidential communications, which may have regulatory and reputational consequences under European data protection laws such as GDPR.
Mitigation Recommendations
European organizations should immediately assess their use of the goTenna Pro application and specifically verify whether the RF key broadcast feature is enabled. If enabled, it is strongly recommended to disable this feature and switch to local QR code-based encryption key sharing, which is more secure and not vulnerable to RF interception. Organizations should enforce strong password policies for any encryption keys used within the application to prevent brute force attacks. Additionally, physical security measures should be enhanced to limit adversaries' ability to capture RF broadcasts, including restricting access to areas where goTenna Pro devices operate and monitoring for unauthorized RF scanning equipment. Regular audits and training should be conducted to ensure users understand the risks of using weak passwords and insecure key sharing methods. Finally, organizations should monitor for updates from goTenna for patches addressing this vulnerability and apply them promptly once available.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Finland
CVE-2024-47121: CWE-521 Weak Password Requirements in goTenna Pro
Description
The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.
AI-Powered Analysis
Technical Analysis
CVE-2024-47121 identifies a weakness in the goTenna Pro application related to its password requirements for sharing encryption keys via the key broadcast method over radio frequency (RF). Specifically, the vulnerability stems from the use of weak passwords protecting the broadcasted encryption keys. An attacker capable of capturing the broadcasted key over RF can attempt a brute force attack against the weak password. If successful, the attacker can decrypt the encryption key and subsequently decrypt all messages sent via encrypted broadcast with that key, both past and future communications. This vulnerability only applies when the optional key broadcast feature is used; the application also supports a more secure local QR code-based encryption key sharing method, which is recommended to mitigate this risk. The CVSS 4.0 vector indicates that the attack requires adjacent network access (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and results in high confidentiality impact (VC:H) but no impact on integrity or availability. The vulnerability is classified under CWE-521, which concerns weak password requirements. No known exploits are reported in the wild, and no patches have been released at the time of this report. The weakness primarily affects the confidentiality of communications transmitted via the vulnerable broadcast method over RF, potentially compromising sensitive data if exploited.
Potential Impact
For European organizations using goTenna Pro devices, particularly those relying on the RF key broadcast feature, this vulnerability poses a significant confidentiality risk. Organizations in sectors such as emergency services, logistics, defense, and critical infrastructure that utilize goTenna Pro for secure communication could have sensitive operational data exposed if an attacker captures and brute forces the weak password protecting the broadcasted encryption key. The ability to decrypt both past and future messages amplifies the potential damage, allowing attackers to conduct prolonged surveillance or intelligence gathering. Although the attack complexity is high and requires physical proximity to capture RF signals, the lack of required privileges or user interaction lowers the barrier for exploitation by motivated adversaries. The impact is less severe if organizations have adopted the recommended QR code-based key sharing or disabled the broadcast feature. However, failure to do so could lead to data breaches, operational disruption, or compromise of confidential communications, which may have regulatory and reputational consequences under European data protection laws such as GDPR.
Mitigation Recommendations
European organizations should immediately assess their use of the goTenna Pro application and specifically verify whether the RF key broadcast feature is enabled. If enabled, it is strongly recommended to disable this feature and switch to local QR code-based encryption key sharing, which is more secure and not vulnerable to RF interception. Organizations should enforce strong password policies for any encryption keys used within the application to prevent brute force attacks. Additionally, physical security measures should be enhanced to limit adversaries' ability to capture RF broadcasts, including restricting access to areas where goTenna Pro devices operate and monitoring for unauthorized RF scanning equipment. Regular audits and training should be conducted to ensure users understand the risks of using weak passwords and insecure key sharing methods. Finally, organizations should monitor for updates from goTenna for patches addressing this vulnerability and apply them promptly once available.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- icscert
- Date Reserved
- 2024-09-18T21:32:27.324Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbebed1
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 6/26/2025, 1:30:46 AM
Last updated: 7/15/2025, 6:40:26 PM
Views: 14
Related Threats
CVE-2025-37105: Vulnerability in Hewlett Packard Enterprise HPE AutoPass License Server
HighCVE-2025-36097: CWE-121 Stack-based Buffer Overflow in IBM WebSphere Application Server
HighCVE-2025-37107: Vulnerability in Hewlett Packard Enterprise HPE AutoPass License Server
HighCVE-2025-37106: Vulnerability in Hewlett Packard Enterprise HPE AutoPass License Server
HighCVE-2025-40777: CWE-617 Reachable Assertion in ISC BIND 9
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.