goTenna Pro ATAK Plugin Cleartext Transmission of Sensitive Information
The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It
is advised to not use sensitive information in callsigns when using this
and previous versions of the plugin. Update to current plugin version
which uses AES-256 encryption for callsigns in encrypted operation
goTenna recommends that users mitigate these vulnerabilities by performing the following updates:
* ATAK Plugin: v2.0.7 or greater
Configurations
Workarounds
goTenna recommends that users follow these mitigations:
General Mitigations for All Users/Clients
* Use Discreet Callsigns and Key Names: Choose callsigns and key names
that do not disclose sensitive information, such as your location, team
size, or team name. Avoid using any identifiers that could
inadvertently reveal your location or the composition of your team.
* Secure End-User Devices: Implement strong security measures on all
end-user devices, including the use of encryption and ensuring regular
software updates.
* Follow Key Rotation Best Practices: Regularly rotate encryption keys
according to industry best practices to maintain ongoing security.
Pro-Specific Mitigations
* Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
* Secure Broadcasting: When broadcasting, ensure you are in a secured
area and transmit the key at a reduced power of 0.5 Watts to limit
exposure.
* Leverage Layered Encryption: Implement layered encryption keys to
securely manage communications, whether interacting with individuals or
teams.
If you have any questions please contact best practices https://support.gotennapro.com/s/article/Secure-Operating .
Exploits
Credits
finder
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.