Study finds security flaws in TETRA radio systems

Radio communication systems used for important communication are not sufficiently protected against modern digital threats, according to new research from the University of Skövde and the Swedish Defence University. The researchers’ study, which was published in the journal Information and Computer Security, points out shortcomings in the security of the TETRA radio communication standard, which is used by emergency services and public transport among others.

The TETRA radio communication standard is intended for organisations that need real-time radio communication for coordination of operations. The most well-known application in Sweden is Rakel, a state-owned national communication system for collaboration between, for example, the police, rescue services and other important actors.

“Our results show that many believe that these systems are safe because the technology is advanced — but important security controls, such as modern encryption and secure logins, are often missing,” said Marcus Nohlberg, Associate Professor of Information Technology at the University of Skövde.

The study found that, when encryption is used, it is often flawed, which is partly due to the fact that the technology has previously been unavailable for vetting by researchers and security experts. As explained by Marcus Dansarie, a PhD student at the Swedish Defence University, “Unlike ordinary IT systems, which are constantly updated against new threats, these radio systems are built to last for decades. They change very slowly, which means that vulnerabilities can remain for many years without being addressed.”

Another problem is that not that many people have deep technical knowledge about the technology. This creates a situation where the whole of society relies on a few experts and companies to ensure the function and protection of vital communication networks.

“Radio systems are often invisible to the public, but they are central to many socially important activities,” Nohlberg said. “They are therefore kind of a hidden but critical part of our digital infrastructure.”

The researchers emphasised that these systems are in practice IT systems, but are not treated as such. Security procedures and principles for radio systems are often lacking, compared to normal standards in cybersecurity.

“This means that both users and decision-makers may believe that the systems are secure, even when they are in fact very vulnerable,” Dansarie said. “At the same time, the threats are becoming more sophisticated every year.”

The researchers are now calling for a broad discussion about who is responsible for security in radio systems, how they should be updated and what requirements should be.

“Communication is one of the most fundamental functions of our society,” Nohlberg said. “If we do not protect the radio systems as carefully as other digital infrastructure, we take major security risks.”

Image credit: iStock.com/Jacob Wackerhausen