Critical radio systems are often less secure than we think

Digital radio communication systems play a central role in many critical societal functions. Despite this, the systems often have a lower level of security than more established communication solutions. This is shown in a new doctoral thesis from the University of Skövde and the Swedish Defence University.

"A recurring conclusion is that systems are often perceived as secure by users and system owners, despite in practice having clear vulnerabilities", says Marcus Dansarie, Captain and military teacher at the Department of Systems Science for Defence and Security at the Swedish Defence University .

In his thesis, he introduces the concept of “digital radio communication systems for special purposes”. These are specialised radio systems used across a wide range of sectors, such as emergency services, industry, rail, maritime and aviation, and in critical infrastructure.

Shared problems despite major technical differences

Despite significant differences in technology and areas of application, the systems share several fundamental security characteristics, and therefore similar vulnerabilities. One issue is that security has not been built in from the outset, but rather added afterwards or addressed in an unclear manner.

Another conclusion is that the link between radio communication systems and organisations’ core activities is often underestimated. Radio communication is not always regarded as an IT system, which means responsibility for security can fall between different functions.

“In many cases, there are indirect dependencies that mean disruptions in radio systems can quickly have major consequences for operations”, says Marcus Dansarie.

Two case studies of radio communication standards

The thesis is based partly on a review of previous research and partly on in-depth studies of two established radio communication standards.

The first case study concerns Automatic Link Establishment (ALE), a standard for high-frequency radio. Here, Marcus Dansarie analyses cryptographic functions to identify weaknesses in the security solutions. The second case study focuses on TETRA, a standard for shared radio systems commonly used by emergency services, the military, public transport, and other sectors requiring secure and reliable communication.

“In this case, I conducted interviews to examine how organisations that own and operate TETRA networks perceive security and risks. In several parts of the thesis work, I also developed software to support the research.”

Taken together, the case studies show how both technical and organisational factors contribute to security issues.

Research rooted in experience of military communication systems

The inspiration for the thesis comes from Marcus Dansarie’s experience as an officer.

“In my work with military communication systems, I observed that users’ perceptions of system security and functionality often differ from reality.”

When he later undertook his master’s studies and examined the security of a military standard more closely, he identified security flaws.

“This confirmed my view. Unlike, for example, internet-based standards, security in radio communication standards is relatively under-researched, and we know very little about existing vulnerabilities and risks. That is what I wanted to help improve understanding of.”

Contributing to more secure systems

The thesis points to several possible explanations for why security levels are often low, including insufficient feedback on incidents, complex system dependencies, and a market structure in which security is not always prioritised. Marcus Dansarie hopes the results will increase awareness among users, system owners, and developers alike.

“For many organisations, a disruption in radio communication can mean that critical functions are affected or come to a complete halt. My hope is that this research will contribute to these systems being treated as the critical infrastructure they actually are, and that future standards are developed with stronger security from the outset.”