CISA Alert: Critical Vulnerabilities in goTenna Pro Devices

On September 26, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory highlighting critical security vulnerabilities in the goTenna Pro X and Pro X2 devices. This advisory is particularly significant for users involved in communications, government services, and critical infrastructure sectors, as it uncovers ongoing risks that could jeopardize the confidentiality and integrity of device communications.

Executive Summary​

The vulnerabilities in goTenna's Pro series are troubling, classified as CVSS v4 with a score of 8.7 — a wake-up call for those who rely on these devices for secure communications. The vendor, goTenna, has been alerted to several vulnerabilities that expose users to various cyber threats. The most alarming aspects of these vulnerabilities include:

• Weak Password Requirements
• Insecure Storage of Sensitive Information
• Missing Support for Integrity Checks
• Cleartext Transmission of Sensitive Data
• Improper Communication Channel Restrictions
• Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
• Weak Authentication and Other Issues

Risk Evaluation​

Exploiting these vulnerabilities could allow attackers to intercept and manipulate communications, thereby compromising sensitive information exchanged between devices. This risk should not be taken lightly, especially for organizations that depend on secure communications, like military units or emergency services.

Technical Details​

Affected Products​

• goTenna Pro App: Versions 1.6.1 and prior are at risk.

Key Vulnerabilities​

1. Weak Password Requirements (CWE-521): The system deploys easily crackable passwords for QR broadcast messages, making past and future messages vulnerable to interception.
2. Insecure Storage of Sensitive Information (CWE-922): Weak authentication practices mean that sensitive data, such as encryption keys, is stored unsafely, allowing attackers to decrypt all P2P and group communications.
3. Missing Support for Integrity Check (CWE-353): Without additional integrity checks on short messages in AES CTR mode, messages can be altered, rendering the encryption ineffective.
4. Cleartext Transmission of Sensitive Information (CWE-319): The system doesn't encrypt user call signs, leading to potential exposure of identifying information.
5. Improper Restriction of Communication Channels (CWE-923): Lack of public key authentication permits simple interception and manipulation of messages.
6. Use of Weak PRNG (CWE-338): The device does not utilize secure random number generation for cryptographic keys, leading to predictability in cryptography.
7. Weak Authentication (CWE-1390): Attackers may inject arbitrary messages within existing mesh networks easily, especially in unencrypted setups.
8. Insertion of Sensitive Information in Sent Data (CWE-201): Information such as broadcast key names is transmitted unencrypted, potentially leaking operational locations.
9. Observable Response Discrepancy (CWE-204): The system's response could inadvertently reveal payload lengths, providing attackers with additional information.
10. Missing Authentication for Critical Functions (CWE-306): Unauthenticated attackers can update public keys used for P2P and Group messages, a particularly draconian vulnerability given that public keys are foundational to the security of P2P communications.

Background​

These vulnerabilities were identified by researchers Erwin Karincic, Clayton Smith, and Dale Wooden, and cover a range of areas within critical infrastructure sectors in the United States.

Recommended Mitigations​

To safeguard against these vulnerabilities, users are advised to update their software immediately:

• For Android Pro, update to v2.0.3 or higher.
• iOS Pro users should contact goTenna support for direct updates.

In addition to software updates, goTenna recommends following best practices:

• Use Discreet Identifiers: Select codes that avoid revealing sensitive data.
• Secure End Devices: Employ strong security measures and regular updates.
• Key Rotation Best Practices: Rotate keys according to security norms.

CISA also urges additional defensive measures, including minimizing device exposure online and employing secure remote access like VPNs. The agency highlights the importance of conducting thorough impact analyses before implementing security measures.

Update History​

These findings and recommendations are critical for maintaining secure communications and ensuring that sensitive information remains safeguarded amid developing threats. With these vulnerabilities unveiled and the urgency from CISA, it’s paramount for users reliant on the goTenna Pro X and Pro X2 to act promptly to mitigate risk.
For detailed vulnerabilities and tips for further action, check the full advisory on the CISA website.

Conclusion​

As the digital landscape evolves, so too must our vigilance and adaptability in addressing vulnerabilities — the goTenna advisory serves as a clarion call for robust security practices not just in technology, but in the philosophy of how we interact with and protect our networked lives.
Source: CISA goTenna Pro X and Pro X2