goTenna v1, Information Disclosure, CVE-2025-32881 (Critical)

By /

Listen to this Post

How the CVE Works

CVE-2025-32881 exposes sensitive user information due to improper handling of Group ID (GID) data in goTenna v1 devices. By default, the GID is set to the user’s phone number unless manually opted out. The app fails to encrypt this GID in transmitted messages, allowing attackers to intercept and decode the data. Since phone numbers can directly identify individuals, this flaw poses a severe privacy risk. The vulnerability stems from weak data protection mechanisms in app version 5.5.3 and firmware 0.25.5, enabling unauthorized access to personally identifiable information (PII).

DailyCVE Form

Platform: goTenna v1
Version: 5.5.3 (app), 0.25.5 (firmware)
Vulnerability: Information Disclosure
Severity: Critical
Date: 06/20/2025

Prediction: Patch by 08/2025

What Undercode Say

Analytics:

– `tcpdump -i any port 8080` (Intercept unencrypted GID traffic)
– `strings /data/data/com.gotenna.app/shared_prefs/` (Extract stored GID)
– `adb logcat | grep GID` (Monitor app GID leakage)

How Exploit:

  • Sniff Bluetooth/Wi-Fi traffic from goTenna devices.
  • Decode intercepted packets to extract GID (phone number).
  • Correlate GID with public databases for identity mapping.

Protection from this CVE:

  • Disable GID auto-fill in app settings.
  • Update to patched firmware (when released).
  • Use VPN/encrypted channels for communication.

Impact:

  • Mass PII exposure.
  • Targeted phishing/social engineering.
  • Legal/compliance violations.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Scroll to Top