User adoption of TETRA mobile radio communication networks: an information security perspective Open Access

In addition to bringing many advantages, the digitalization that has characterized the past decades has also introduced new risks and vulnerabilities. Although security in commodity information and communications technology (ICT) equipment is generally considered important, research on security in specialized digital radio communication standards has revealed that many lack even basic security mechanisms such as encryption or authentication (Dansarie, 2024). Meanwhile, users of digital radio communication systems often have excessive confidence in their security (Strohmeier et al., 2017, 2019). Changes in underlying technology that expose new attack surfaces, such as the replacement of analog radio with digital in communication systems, are known as security phase changes (Ghena et al., 2014). Often, developers and users are unprepared. Consequently, the security phase changes may go unnoticed, increasing the risk of security failures and causing gaps between users’ perceptions and actual security. The risk is particularly high for embedded technologies that lie outside commodity ICT or operational technology, because they require specialized skills not commonly found in information technology (IT) departments (Ghena et al., 2014). Multiple important sectors, including critical infrastructures, depend on digital radio communication systems (Bekkers, 2001; Ecorys, 2009). Despite the existence of known security issues in the standards, there does not appear to exist research on users’ security needs and perceptions outside the civil aviation field (Dansarie, 2024).

Digital mobile radio communication networks are used by major operations such as police and rescue services, metropolitan transit systems, public utilities, major infrastructures and large industries for real-time coordination of activities across large areas (Bekkers, 2001; Ecorys, 2009). They not only have crucial roles for their organizations but must also comply with legal requirements, such as the European General Data Protection Regulation (GDPR) and Directive on Security of Network and Information Systems (NIS Directive). Therefore, it is essential for users of mobile radio networks to ensure their systems are adequately secure. However, without a clear understanding of their systems’ information security properties, this can be a major challenge.

Three different major standards for digital high-end mobile radio are currently in broad use: APCO P25, TETRAPOL and TETRA. APCO P25 has wide adoption in North America, where Motorola blocks the use of key patents for TETRA. TETRAPOL has limited adoption in a few European countries, most notably France. Elsewhere, TETRA dominates the market, making it the leading international standard for high-end digital mobile radio communication networks (Ecorys, 2009). Despite TETRA’s widespread adoption, users’ security needs and the potential impact of attacks on TETRA networks are poorly understood. This paper investigates TETRA’s role and security impacts through semi-structured interviews with system owners of eleven TETRA networks in Sweden, representing a wide range of users and applications.

The remainder of this paper is structured as follows. Section 1 continues with a statement of the research questions and an introduction to mobile radio networks and the TETRA standard. Section 2 provides an overview of related work on security in digital radio communication standards. Section 3 presents the research methodology used in the study, including ethical considerations. Section 4 presents the main results organized by the key themes identified in the thematic analysis. Section 5 concludes the paper, discussing key findings and implications for future research.

The majority of the functionality in digital high-end mobile radio networks is implemented in software (Ecorys, 2009). Radios are in constant contact with their host networks, even when the user is not actively using the device. Increased complexity and software dependence of modern mobile radio networks come with new risks that must be properly addressed by user organizations. However, little knowledge exists on how these systems are used and the potential consequences of vulnerabilities.

As the most popular high-end digital mobile radio standard, TETRA is used by numerous critical infrastructures (Bekkers, 2001; Ecorys, 2009), meaning that attacks on confidentiality, integrity or availability on TETRA systems used in those infrastructures could have serious consequences. Despite having been in active use for more than a quarter-century, no academic research on TETRA security has been found prior to 2010 (Park et al., 2010). Recent work (Meijer et al., 2023) has uncovered serious weaknesses in TETRA security, but it is unknown how those vulnerabilities affect the security of TETRA users’ operations in practice. Furthermore, previous research on radio communications in other fields has shown that there can be large gaps between users’ perceptions of security and the actual security of their systems. In one case in civil aviation, less than 10% of respondents were aware that a particular communication system is not authenticated (Strohmeier et al., 2017, 2019). The present study aims to investigate how organizations are affected by the security of their TETRA networks by addressing the following research questions:

Analog mobile radio technology emerged in the 1940s as companies started marketing radio technologies developed during World War II to civilian customers. Originally, radios were vehicle-mounted, but today both handheld and vehicle-mounted devices are common. Since the 1990s, digital radio communication technologies have replaced analog technologies in many applications. Compared to their analog predecessors, digital radio networks have many advantages, such as improved audio quality, text and data transmission, and improved spectrum efficiency (Bekkers, 2001).

Common features of all mobile radio networks include push-to-talk (PTT) functionality, very rapid call setup and group calls. This differentiates mobile radio networks from mobile telephone systems, which generally lack these features. The needs of many organizations are satisfied by low-end mobile radio systems such as analog walkie-talkies, repeater-based analog systems or simple digital radio systems such as Digital Mobile Radio (DMR). High-end mobile radio networks have more features, including support for group calls between geographically dispersed users (trunking), dispatch operators, numerous talk groups, data transmission, emergency call functions, priority calls, authentication, encryption and high fault tolerance (Bekkers, 2001; Ecorys, 2009).

Mobile radio networks differ from other ICT systems in some aspects, because of their technological heritage from the radio and telephony sectors (Bekkers, 2001). Importantly, all radio-based communications are readily accessible to anyone within range. Thus, there exist no physical hurdles that prevent potential attackers from receiving or transmitting messages. In many jurisdictions, receiving radio signals meant for others is permitted, making passive attacks effectively legal. Compared to commodity ICT equipment, lifespans of mobile radio networks can be an order of magnitude longer – a network can be used by an organization for several decades before it is upgraded or replaced with newer technology. This reflects both users’ need for consistency in mobile radio systems and the relative stability of user requirements.

Bekkers (2001) divides the market for mobile radio networks into three segments: private mobile radio (PMR), public access mobile radio (PAMR) and public safety networks. PMR networks are owned by the user organization and often have only local coverage. PAMR networks can have regional or national coverage and are operated by commercial network operators that sell mobile radio services to customers. Public safety networks are operated by government agencies and commonly have national coverage. They are intended for use by public safety organizations such as police, fire departments and ambulance services. Until the 1980s, when the first PAMR operators appeared, all mobile radio networks were PMR networks. Similarly, until the emergence of national public safety networks in the early 2000s, public safety organizations generally depended on fragmented, and often outdated, PMR networks.

The market for mobile radio systems is significantly smaller than the market for most other ICT systems, including mobile phone systems. There are a handful of manufacturers of high-end mobile radio systems that offer base stations, switching and management infrastructure (SwMI), and other network components. The two largest, Motorola and Airbus, together have over 70% of the market share. While the major suppliers also manufacture and sell radios, several smaller companies are also active in this market segment. System integrators provide the services needed for system owners to set up and configure working networks that meet their operational needs. For larger networks, system integration is generally done by the infrastructure supplier or a major defense integrator. Infrastructure sale and integration of small networks is generally done by resellers in the local market. Public safety users make up 60%–70% of the market value for high-end digital PMR systems. Mass transportation users make up a further 15%–25%, and critical infrastructure users 10% (Ecorys, 2009).

The TETRA standard was developed by the European Telecommunications Standards Institute (ETSI). Development started in 1989, and the first TETRA system became operational in July 1997. The standard shares similarities with GSM, which was also developed by ETSI. Among the design goals was that there should be a common air interface, providing interoperability between TETRA networks and ensuring a working market with multiple equipment suppliers. The interfaces within a TETRA network, such as between base stations and the SwMI, are not standardized. This means that once network owners have selected an infrastructure vendor, they are effectively locked in. In the default trunked mode, TETRA radios communicate with base stations connected to the network’s SwMI, much like cellular telephones. A direct mode feature also exists, where communication takes place directly between radios, like in a walkie-talkie system. TETRA can support numerous users and talk groups on a single pair of base station frequencies, making it very spectrum efficient compared to analog systems (Bekkers, 2001).

Previous research on TETRA security has focused on technical security issues with the air interface protocol, which is the standardized protocol used for communication between radios and base stations. Duan et al. (2013) as well as Liu and Li (2023) have found vulnerabilities in TETRA protocols using formal analysis methods. Pfeiffer et al. (2016) describe and demonstrate location privacy issues of TETRA and other digital trunked systems where radios regularly communicate with base stations. They also demonstrate attacks on radio availability using specially crafted messages.

Meijer et al. (2023) present numerous security issues in the TETRA standards and the first public descriptions of three of the four TETRA encryption algorithms (TEA). The presented algorithms include TEA1, intended for non-government use in Europe; TEA2, intended for government use in Europe; and TEA3, intended for government use outside Europe. The work revealed that TEA1 was deliberately rigged to be insecure – its 80-bit key is compressed into a 32-bit key used for the actual encryption – making it trivial to perform a brute-force key search. The authors also present practical meet-in-the-middle attacks on the TETRA subscriber identity encryption scheme. A keystream reuse attack, first discovered by McHardy et al. (2011) in the context of DECT cordless phones, is presented. In this attack, a fake base station is used to trick a radio into becoming a keystream oracle. A session key pinning vulnerability in the TETRA protocol is also presented.

Clark et al. (2011) investigated the use of APCO P25, the dominant standard in North America, by law enforcement agencies in the USA. They present security issues in the standard, including attacks on availability. They also identify usability problems that result in users transmitting in cleartext, although intending to transmit in encrypted mode. The authors claim that they “monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and Department of Homeland Security” when they listened to P25 communication in metropolitan areas.

Glass et al. (2012) describe how protocol vulnerabilities in P25 mean that an attacker can assume the identity of any authenticated radio. They also describe Motorola’s proprietary Advanced Digital Privacy (ADP) cipher and attacks on availability using the standard’s inhibit commands.

Surveys and interviews have been used in research on the security of radio communication systems used in civil aviation. Notably, Strohmeier et al. (2017, 2019) perform a survey of aviation professionals (pilots, air traffic controllers, engineers, etc.) to gauge their impression of the security of 15 different communication systems used in civil aviation. They compare the results of the survey to academic results and find that the majority of survey participants perceive security in the systems to be better than it actually is. For example, many aviation professionals believe that the communication systems are authenticated when they, in fact, are not. Overall, the paper describes a large gap between professionals’ perceptions of security and the actual security of communication systems.

The survey performed by Strohmeier et al. (2017, 2019) concerned completely different radio communication systems than the one covered here. However, civil aviation communication systems have many similarities with mobile radio networks. Indeed, airports are among the critical infrastructures that often use TETRA networks for coordination of operations.

We collected data through semi-structured interviews with representatives for organizations that own TETRA networks in Sweden. All registered owners of TETRA networks in Sweden were contacted to request interviews. To find them, we leveraged the fact that all TETRA networks must have a unique mobile network code (MNC). In Sweden, MNCs are assigned by the Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS), the Swedish regulator of radio communications. We requested and obtained all applications for and assignments of TETRA MNC codes from PTS. In total, 41 MNCs were assigned for use by TETRA networks in Sweden. Five organizations had two, and one had three MNCs registered, indicating that the total number of TETRA network owners in Sweden is 34 [¹]. We reached out to system owners in each organization through email addresses listed on their websites and in MNC applications to ask for participation in interviews. In cases where we received no response, we sent at least one reminder email. Out of the 34 registered TETRA network owners, 11 (32%) elected to participate in the study and were subsequently interviewed. Three organizations (9%) explicitly declined participation. One organization claimed to have sold their TETRA network, which we could later confirm through the new owner’s request to PTS for deallocation of its MNC. In the remaining 19 cases (56%), we received either no response at all or the organization representative stopped replying to emails without explicitly declining participation. A full list of participants is presented in Table 1. The interviewed organizations represent a wide range of users and applications, include both government and private entities, vary in size and are spread across the country.

Ten of the 11 interviews were conducted on-site at the organization, and one was conducted via a video call (O2). In one of the on-site interviews (O9), the interviewees did not consent to recording the interview. Instead, the interviewer took notes by hand. In six of the interviews, a single representative of the organization was present (O1, O2, O5, O6, O7, O10). In the other five interviews, two or more representatives were present during the interview (O3, O4, O8, O9, O11). The typical interview length was around an hour, with the shortest taking 41 min and the longest 171 min. The transcribed interviews, covering over 123,000 words, provided a unique insight into the role that digital radio communication networks play in a wide range of applications.

The full interview schedule for the semi-structured interviews is provided in an  appendix. The questions in the schedule were not asked verbatim. Instead, they served as a guide to the interviewer during the conversation. The interview questions had four different themes. The initial questions concerned general information about the organization, its TETRA network, and why and when it was introduced. The next set of questions concerned perceived security threats and vulnerabilities to the organization, with a focus on its TETRA network, including incident management. A third set of questions was scenario-based, focusing on what would be the consequences for the organization of attacks on confidentiality, integrity or availability. The interviews were concluded with a short summary of what had been discussed, after which the interviewees were given the opportunity to add any information they felt had not been mentioned previously.

Following the on-site interviews, the interviewer offered to show the interviewees how a software-defined radio (SDR) device can be used to monitor TETRA traffic. Although not part of the interview, this gave the opportunity for a more informal chat about TETRA security and allowed interviewees to see how their networks could be monitored with SDRs.

All interviews were conducted in Swedish, and the quotes provided here have been translated by the authors. An automatic transcription tool, Whisper (Radford et al., 2023), was used to transcribe the interviews. All automatic transcriptions were manually corrected and verified against the recording. For thematic analysis, the transcriptions were manually coded using QualCoder (Curtain, 2023), a qualitative analysis software.

The study did not require ethical review according to the Swedish Ethical Review Act. Before each interview, the interviewees were informed that participation in the study was voluntary and that they may be quoted. They were also promised pseudonymity. The same information was also provided in the invitation email. For all recorded interviews, permission to record was obtained beforehand. Participants were also offered copies of the transcribed interviews.

Describing vulnerabilities or highlighting lesser-known technologies could help or inspire criminal acts against the systems described. Many of the organizations interviewed for this study operate critical infrastructures, where disruptions can cause major impact. To limit the spread of details about individual TETRA networks and to encourage participants to share information candidly, the interviewees have been pseudonymized. Some of the interviewed organizations have unique characteristics that are impossible to make completely anonymous in the descriptions. In cases where this could be an issue, this was discussed with the interviewees, who all acknowledged and accepted that risk.

The results are presented here, organized around the key themes identified in the thematic analysis: how organizations use TETRA networks, TETRA network life cycles and management, user satisfaction, information security requirements, the perceived sensitivity of TETRA networks and licensing issues.

Apart from two exceptions detailed later (O3, O11), all interviewed organizations use their TETRA systems for voice communication in support of their core business. For industries, this is often in the form of communication between workers on production lines and between production lines and control rooms (O2, O6, O8). A majority of interviewees mention that their TETRA networks play an important role for safety or security in their operations, most often safety (O1, O2, O4, O5, O6, O7, O10):

Organizations acquire TETRA networks to support core business processes. In many organizations, the use of TETRA has spread to include other users, such as security guards, cleaning staff and maintenance staff (O1, O2, O4, O6, O7). While the regional and national networks were intended from the start to be used by multiple organizations, this was generally not the case for the smaller local networks. Despite this, some of them have expanded to include external users such as other organizations in the coverage area or industrial fire brigades, often charging only minor fees for this privilege (O1, O2, O7, O8, O9). This is likely because of the low marginal cost of adding additional radios and talk groups. In contrast to traditional analog radio communication networks, no hardware changes or additional frequency allocations are necessary. One interviewee mentioned that a key reason for granting neighboring companies access to their network was that it simplifies coordination and communication in emergencies (O2). Another organization keeps a radio earmarked for emergency services in their guardroom (O6). One of the tourist destinations has distributed radios to a local health center and emergency service units to enable rapid coordination when accidents occur (O7).

Networks typically have between 100 and 500 radios, mostly handheld (O2, O4, O6, O7, O10). In some cases, radios are personal, with the number of radios corresponding to the total number of users in the system (O2). More commonly, radios are shared between shifts, meaning that the total number of users is significantly larger (O1, O6, O7, O8). Three networks are significantly larger than the others: a government public safety network with close to 100,000 users (O5), a public transport operator with 5,500 radios and up to 3,000 simultaneous users (O1) and a major infrastructure operator that likely has more than 1,000 users (O9). Two networks that are exclusively used for testing purposes only have a handful of radios (O3, O11).

The size of the covered area also varies among the networks. Most networks cover only a small area, such as a single factory (O2, O3, O4, O6, O8, O10, O11). Some have a single base station, but multiple base stations appear to be common even among small users (O2, O6, O8). One of the networks, a public safety network, has national coverage (O5). A public transport operator’s network has coverage in its entire area of operations, a large metropolitan area (O1). Another two networks have coverage in multiple geographically separate areas, where the owners have operations (O7, O9).

The by far most commonly used feature of the TETRA networks is group calls in talk groups. This is also the intended primary use for the TETRA standard. Organizations report a high degree of satisfaction with the ability to separate different user groups and activities into different talk groups. This is significantly easier in TETRA than in traditional analog systems, where a separate frequency allocation would be required for each channel. In older analog systems, there was a risk for misunderstandings because of different parts of the organization being forced to share a single frequency:

Such risks were said to be mostly eliminated after transitioning to TETRA networks, where different parts of the organization, production lines or tasks with high demand for coordination could be given separate talk groups (O6, O7). Interviewees also mentioned the ability to connect “private” calls to have longer conversations that would be disturbing to have on a talk group with many users or moving such conversations to dedicated talk groups (O1, O2, O7).

When asked about the TETRA short data service (SDS), which is used to send short text messages or other data, interviewees generally indicated that it was sparsely used or not used at all. A number did, however, mention the use of applications that leverage SDS, such as pre-programmed fixed messages, positioning of users and automatic alarms in case of detected falls or inactivity (O1, O2, O5, O6, O7). One mentioned use is for telematics, such as opening gates or remote control of equipment, and for broadcasting information from dispatch operators to groups of users, with millions of SDS messages sent each day (O5).

Utilization of the TETRA networks is high. Industries, public transport, infrastructure operators and the national public safety network have round-the-clock operations, meaning that their TETRA networks are in near constant use (O1, O2, O5, O6, O8, O9):

Two organizations state very different uses for their TETRA networks. One, a government agency, has a system that is a close, but significantly smaller, copy of the infrastructure of a large national TETRA network (O3). This smaller network is regularly used to train network operators and test software and configurations. The use of a separate network for this is said to make possible tests and training scenarios that cannot be performed in a network in active use because they would be disruptive to operations. Another organization, a system integrator, integrates TETRA systems with other complex systems that are sold to military customers (O11). In these systems, the TETRA network is used for real-time voice communication. The system integrator’s use of their TETRA network is limited to testing the functionality and validity of different configurations and software versions:

Two resellers of TETRA systems appear to dominate the Swedish market. They provide a full range of products and services related to TETRA and other technologies, such as DMR or analog radio systems. Typically, most of the work involved in setting up a TETRA system is performed by a reseller. This includes designing and documenting the system implementation, installation, testing, training users, maintenance and support. The largest network infrastructures are generally not bought from resellers but directly from the major system manufacturers, Airbus and Motorola.

All nine interviewees that use the TETRA network to support their core business said that it was acquired to replace a previous analog radio system (O1, O2, O4, O5, O6, O7, O8, O9, O10). While TETRA is the dominant technology for high-end mobile radio in Europe, there are a number of less advanced options that may also fit the needs of many smaller organizations in need of radio communications. They include mobile telephony-based solutions, DMR and analog trunked or repeater-based systems. Reasons for choosing TETRA differ between organizations. Some were offered different options by their reseller and chose TETRA based on a cost-benefit analysis (O2, O4, O7, O8). Others had decided on TETRA before contacting a reseller (O6, O10). A number of interviewees mentioned that they selected TETRA either based on direct previous experience with other TETRA networks, such as the Swedish national public safety network, or following contacts with competitors that owned TETRA networks (O6, O7, O8, O10). These positive experiences and reports had prompted them to look toward that technology.

Operational experience with TETRA networks among the interviewed organizations ranged from two decades (O1, O3) to just a few months (O10). Except for a few large networks (O1, O3, O5), network owners do not have in-house staff with the skills necessary for maintaining the network. This is a deliberate choice because running the TETRA network is not a core business process. Instead, network owners rely on resellers for practically all system maintenance. Some keep a small stock of spare parts or have equipment for configuring radios using configuration files provided by their reseller (O3, O6, O7, O8). A virtual private network (VPN) connection to a TETRA network can be set up to enable the reseller to perform administration or maintenance remotely, such as setting up new talk groups or investigating faults (O1, O2, O7).

The heavy dependence on the resellers means that organizations have few resources to discover security incidents by themselves. One interviewee even indicated that without assistance from their vendor, they would likely not be able to identify that a problem with their TETRA network was because of a security incident (O6). This reflects how rare it is for organizations to perform monitoring of their TETRA networks, other than occasionally checking logs for error messages. Many appeared to lack formal procedures for handling security incidents in their TETRA networks (O2, O4, O6, O10). Some indicated that their first action in case of a security incident would be to contact their reseller (O4, O6, O7).

The majority of TETRA owners have no current plans for replacing their TETRA networks, as long as there are spare parts and support available (O2, O4, O6, O7, O8, O9, O10, O11). Three interviewees, including owners of the two largest networks, indicated that they intend to replace their TETRA networks before the year 2030 (O1, O3, O5). The reasons for this included a perception that TETRA was about to become a legacy standard and needs for more advanced network services that require high-bandwidth communications. The intended replacements are technologies based on 4G and 5G mobile telephony (O1, O5):

A common trend throughout the interviews was that network owners and users are very satisfied with their TETRA networks. Users praised features such as ease of use, sound quality, multiple talk groups, reliability and expandability. A single interviewed organization indicated otherwise, saying that users were increasingly relying on mobile phones instead of their TETRA radios (O8). Few interviewees could recollect any serious malfunctions, apart from occasional broken radios. Organizations that had selected between TETRA and competing technologies, such as DMR, expressed satisfaction that they had gone with TETRA, despite its higher price. Cited reasons for this included higher quality equipment, better functionality, perceived higher security and potential interoperability with other TETRA systems (O2, O4, O7):

The interview schedule included a question on whether the organization considered its TETRA network mission-critical. The vast majority of interviewees answered this question with yes. Three (O3, O6, O11) answered with no, and one (O9) declined to answer. The three organizations that answered no include the two organizations that use their networks for testing purposes only (O3, O11). Most of the yes answers were clear, but some were combined with statements that the organization would likely be able to continue operations even if the network became unavailable:

That the networks are considered mission-critical is also reflected in how the networks are implemented. Many networks are built with redundancies to be able to continue operations in case of equipment faults. Redundancies mentioned include duplication of parts of the infrastructure, such as base stations and servers (O1, O2, O5, O6, O7, O8). Six interviewees mentioned that they have battery backups for the fixed parts of their infrastructure (O1, O4, O5, O7, O8, O10).

Use of TETRA systems for direct control of operations seems rare. No examples of core business operations being directly dependent on TETRA networks were found in the collected data. However, indirect dependencies exist because the primary use of the networks in the studied organizations is generally coordination of operations. For example, two interviewees representing critical infrastructures stated that their operations would have to be stopped or be forced to operate at decreased capacity if their TETRA network became unavailable (O1, O5). One of them went so far as to say that disruptions of their TETRA network could cause loss of life (O5). Two of the industry interviewees stated that, while they would likely not stop production in case of disrupted functionality, they would be hesitant to start new production runs if their TETRA network was not functional (O2, O6).

The position held by a majority of the interviewees was that, while disrupted functionality in their TETRA network would lead to friction of various degrees, it would not significantly affect their core operations. Interviewees representing tourist destinations stressed that their business is of lesser importance to society at large and that the impact of disruptions would be mostly limited to unhappy customers (O4, O7, O10).

When asked about the need for and consequences of loss of confidentiality and integrity, interviewees generally downplayed the issue. They emphasized that radio conversations do not contain company secrets or personal information and that the consequences of eavesdropping would be very limited. Many said that they would not care if outsiders listened in on their conversations (O2, O4, O6, O7, O9, O10, O11). Likewise, the responses indicated that the importance of location privacy for radios was low, but a few interviewees recognized that locations of staff with security duties could be considered sensitive (O1, O3, O4).

Interviewees considered integrity more important, saying that unauthorized transmissions on the network could have effects such as confusion, risk of personal injury or stopping industrial processes, causing substantial costs (O1, O4, O5, O6, O8, O10). The national public safety network is a notable exception, mentioning confidentiality and integrity as very important for its users. In some applications, radios with end-to-end encryption are used to ensure this (O5).

The most likely risk to confidentiality and integrity in TETRA networks is considered to be loss of radios, because they can easily be used for listening or transmitting on the network. Loss and theft of radios has occurred in a few cases (O1, O3, O6, O7). A few of the network owners mentioned routines for promptly removing lost or stolen radios from the network (O1, O3, O5, O7).

A majority of the interviewees stated that TETRA networks are harder to listen in on than analog technologies (O1, O2, O3, O4, O6, O7, O8, O10). Many appeared to have conflated the digital channel encoding used by TETRA with cryptography. When asked to clarify, most indicated that they understood that the communication was unencrypted, but that the complex digital protocol made unauthorized monitoring significantly harder. One interviewed organization stated that a major part of their reason for moving to TETRA from an analog system was that it is harder to eavesdrop on (O4):

In one case, the interviewees were certain that their network was encrypted until the interviewer demonstrated the SDR receiver post-interview and the ability to monitor communication in real time took them by surprise (O4).

Although TETRA systems are generally considered harder to monitor by the organizations that own them, rules against transmitting personal data over the TETRA network are common where networks are used for safety and security purposes. Some interviewees said that they had rules that prevented such communication or limited it to information that could not uniquely identify an individual but admitted that users are occasionally careless (O1, O7, O10).

Some interviewees said that they had been aware the eavesdropping occurred on their older analog radio communications (O1, O2, O4, O7, O10), and two organizations mentioned that they had experienced incidents where deliberate unauthorized transmissions had taken place (O1, O4). In all cases, eavesdropping and unauthorized transmissions appeared to have been eliminated by the switch to digital communications.

One interviewed organization said that they were aware, through Internet forums, that people were listening in on their communication. This had prompted the organization to introduce TEA1 encryption for some of their users. The action appeared to have been effective since the online discussions stopped. The majority of traffic on that organization’s network is still unencrypted. The interviewee stated that the impact of this was very small and that replacing all the organization’s radios with models that support encryption would be prohibitively expensive (O1).

When contacting potential interviewees during the early stages of the project, it became apparent that many TETRA network operators consider their networks sensitive. These very security-conscious organizations can be contrasted with other interviewees in the study who stated that they had never considered security issues related to their TETRA network. While it is hard to draw any conclusions from non-responses, we believe that some of them were because of the organizations not wanting to discuss their networks at all. A system owner at a nuclear power plant responded, saying he would ask for permission within his organization. Following this, he never responded again and did not reply to reminder emails. Another organization, a large government agency, declined participation through a notably brusque official letter. Three interviewees explicitly said that they had performed background checks on the interviewer before agreeing to the interview (O1, O4, O9).

The organization that did not consent to recording the interview stated that this was because of the sensitive nature of their operations, which are considered a significant target for terrorist attacks. They said that they were very careful about what information about their network becomes public and did not want to give threat actors ideas or inspiration for attacks. That interview also stood out in that the interviewees declined to answer the majority of questions, with the same motivation. This included seemingly non-sensitive questions, such as the number of users or if they consider the network to be mission-critical. Although they saw many “downsides” to agreeing to an interview, they said that they were interested in contributing to research, because this could help both them and other TETRA users (O9).

Although hard to prove conclusively, these experiences indicate that there may be a group of TETRA network owners that regard their networks as sensitive because of their importance for core business operations or critical infrastructure. The organization mentioned above (O9) may well be an example of such an organization, which, despite their view of their system as very sensitive, agreed to an interview.

In its request for an MNC allocation from PTS, one of the organizations that declined participation in the study explicitly requested that the number of radios and locations of base stations not be released. The request cited a regulation that exempts the release of information related to risk and vulnerability analyses related to peacetime crisis situations. That information, and descriptions of system architecture, was redacted in the documents released to us by PTS. Similar redactions were also made by PTS in descriptions of other networks. We interpret this as an indication that information about certain aspects of the architecture of TETRA networks is considered sensitive, not only by some network owners but also by the regulator:

In some cases, this view of the TETRA networks as sensitive appears warranted, as some are used to directly or indirectly coordinate critical infrastructures, including public transport, power plants and emergency services. The interviewee from one of these operators stated that they were aware of concrete attempts by outside actors to access the core of their TETRA network, which included key personnel being approached by foreign intelligence services [²].

The functionality available in TETRA networks and radios is controlled by licenses bought from radio and network manufacturers. This includes the number of users supported by the network, the number of talk groups, the number of carrier frequencies per base station as well as security features such as encryption and authentication. The correct combinations of licenses must be present in both the network and radios for the system to function as intended. Interviewees described that ensuring this can be a complex task (O1, O11):

Our goal was to investigate how user organizations handle information security in their TETRA networks (RQ1) and the potential consequences of attacks (RQ2). The results show that organizations handle TETRA networks differently than other IT systems. Often, the networks are barely regarded as IT, and their management is outsourced. A handful of employees at two resellers handle maintenance and support for the vast majority of Swedish TETRA networks. Therefore, knowledge is scant about the state of security or the possible implications of attacks on the networks. Simultaneously, organizations grow increasingly dependent on their radio communication networks, as they become frequently used throughout the organization and sometimes even by neighboring organizations. The organic spread of usage within organizations and the lack of institutional knowledge mean that the full extent of dependencies between radio communication networks and core operations is obscured. Consequently, this increases the risk that security phase changes (Ghena et al., 2014) resulting from technological shifts – such as replacing an analog radio network with a digital one – introduce new attack surfaces that go unnoticed and may remain unknown for a long time.

Organizations acquire and use digital mobile radio communication networks to support their core operations that require frequent communication. The minute-by-minute coordination of operations enabled by the networks creates strong indirect dependencies between the networks and users’ core operations. This is largely intentional because the requirement for rapid high-availability communication is what made the organizations acquire a mobile radio communication network in the first place. Based on examples provided by interviewees, we believe it is possible to cause interruptions in several industry or critical infrastructure operations by attacking the availability and integrity of TETRA networks. As previous research has shown, this can be relatively easy (Pfeiffer et al., 2016; Meijer et al., 2023).

There exist operations that would cease almost immediately if TETRA communication became nonfunctional. Furthermore, unauthorized messages sent via the TETRA network could lead to expensive damage to industrial processes or personal injury. In other words, loss of availability or integrity of communication networks can affect operations quickly and directly. Although no examples of deliberate attacks on TETRA networks were reported in the interviews, two organizations had experienced attacks on their previous analog networks. This, and the fact that foreign intelligence services have shown active interest in gaining access to the networks, indicates that there exist actors with the will and ability to carry out attacks.

In contrast to the importance of availability and integrity, the results indicate that consequences of loss of confidentiality would be lower for most TETRA users. This may explain why encryption is rarely used in practice in TETRA networks. It also provides insight into the impact of the recently reported vulnerabilities in the TETRA encryption algorithms (Meijer et al., 2023). However, considering the importance of integrity and availability, it does not explain why authentication is also rare. Part of the explanation likely lies in the high trust user organizations place in technical complexity as an obstacle for attacks on TETRA networks. Lack of known incidents, together with the high quality and reliability of TETRA networks and equipment, appears to have contributed to users’ perception of their TETRA networks as secure. This mirrors results from the aviation domain that show large gaps between perceived and actual security in communication systems (Strohmeier et al., 2017, 2019). Nevertheless, procedures to prohibit or minimize the transmission of confidential or personal information are often in place, indicating that the level of trust is limited.

The majority of users are not currently considering replacing their TETRA architecture, and few alternatives exist. At present, the main competitors are 4G- and 5G-based technologies. The complexity and cost of managing licenses for authentication and encryption constitute a barrier to users’ ability to transition their existing systems to more secure configurations and to replace the insecure TEA1 algorithm. Consequently, network owners remain stuck with the security choices they made when their systems were first acquired. As circumstances change, they are forced to rely on less effective methods for protecting their networks, such as attempting to limit the spread of information about them. This emphasizes the importance of designing communication standards with expandability and forward compatibility in mind.

The combination of TETRA networks’ importance for core operations, lack of security features in networks and limited internal competence could well be the reason why many of the contacted organizations exhibit a guarded behavior concerning their TETRA networks. This has similarities with the experiences reported by Strohmeier et al. (2019), who attempted to post a link to a questionnaire in eight large aviation-related online forums. Only two forums allowed the link to be posted after thoroughly verifying the researchers’ credentials. Two of the forums that did not allow posting of the link cited concerns about possible negative publicity for the aviation sector that could result from reporting on security issues.

This paper has investigated security implications for organizations through interviews with system owners. Replicating the study, either in another geographic context or with different technologies, such as P25 or DMR, could provide a more nuanced understanding of security challenges related to digital mobile radio communication networks. One of the findings of this study was that system owners generally have limited knowledge about the technical details of their TETRA systems. However, many details relevant for the security of TETRA networks may not be possible to capture through interviews. Complementary technical data about the use and security configuration of TETRA networks can be captured by observing the air interface, such as in the work of Clark et al. (2011). Considering the importance of the resellers for the TETRA networks, future work that captures their views and experiences might also provide important insight. Additionally, to better understand digital radio communication networks from an information security perspective, it may be necessary to develop new methods to model them.

A particularly interesting finding was that a number of the interviewed organizations had chosen TETRA for the radio communications based on first- or second-hand experience with other TETRA networks, including experiences from direct competitors. This closely mirrors the mechanisms described by Rogers (2003) in his seminal work on the diffusion of innovations. Further research into how ICT systems spread as innovations among users could help improve the understanding of the mechanisms that underlie user decisions that affect security.

While previous work on TETRA security has focused on technical vulnerabilities in TETRA authentication and encryption (Duan et al., 2013; Liu and Li, 2023; Meijer et al., 2023; Pfeiffer et al., 2016), the present survey has, for the first time, looked at how the networks are actually used from a security perspective and how vulnerabilities might affect users. Most users’ core operations would quickly be affected if availability or integrity in their TETRA networks were compromised. In such cases, some industry and critical infrastructure users would have to significantly limit their operations or stop them entirely. Despite these risks, encryption and authentication are rarely used. Outsourcing of maintenance and support has contributed to a significantly limited understanding in most user organizations of the full range of security risks and attack surfaces associated with their TETRA networks. At the same time, the complexity and cost of licensing make it hard to transition to more secure configurations. Instead of effective security controls, users mainly rely on the TETRA standard’s technical complexity and limiting the spread of information to prevent attacks. Together, these factors create a risky situation in which a system critical for society is seldom updated; expertise is scarce; and users have both limited understanding of security risks affecting their core operations and limited options for remedying them. We argue that this unique situation warrants an abundance of caution. To ensure that digital radio communication networks are sufficiently secure, it is necessary to treat them as the IT systems that they are, with the associated requirements on monitoring, updates and competence.

The full interview schedule, translated from Swedish, is provided here.

My research concerns security in radio communication systems. There are major gaps in the knowledge on security in digital radio communication systems, in particular concerning the organizations that use them and their views on security. I have chosen to focus on TETRA for this study because it is used by many organizations. The hope is to capture a wide range of experiences. All organizations use their TETRA systems in different ways and have widely different needs for security, so not all questions may fit your particular situation. Do not look at this as a test – there are no correct answers. I am just interested in how things look in real life.

This is a so-called semi-structured interview. It is basically a normal conversation based on a number of prepared questions and topics. I will record the interview so that I can transcribe it later. All results from the interviews will be pseudonymized, so it will not be possible to tell from the article which person or organization made a particular statement. Participating and answering questions is, of course, voluntary. If there is a question you do not wish to answer, just say so. The interviews will be destroyed once the article has been published.

1. What does the company/agency do? (Short answer)

2. What do you do here?

3. What are your tasks related to the network?

4. What did you think when you got my interview request? (Re security, without mentioning that word.) Were there any internal discussions?

5. Tell me about your TETRA network:

   • Do you have a name for it?

   • What is it used for? Only speech? Data?

   • Who is using it? How many?

   • Where is it used?

   • When is it used?

   • How often/how much is it used?

   • Are there connections to other IT systems?

   • Is there roaming?

6. What does the organization that manages your TETRA network look like?

   • How many employees?

   • Tasks?

   • Have you used consultants? What did they do?

7. Do you know why TETRA was chosen as technology? (As opposed to mobile telephony, walkie-talkies, etc.) Alternately: Was the choice of TETRA connected to Rakel (the Swedish national public safety network)?

8. When was your TETRA network purchased?

9. When was it put into service?

10. How long is the network planned to be used?

11. Are there plans for a replacement? Why?

12. Are you satisfied? Does it work as it should? Does it fill your needs?

1. Is there a known threat linked to your operations? (Groups or people with known intentions. Crime, industrial espionage, intelligence services, etc.)

2. Have you identified any particular threats or risks linked to the TETRA network?

3. Is the TETRA network mission-critical for you?

4. Do you know if there have been any security incidents linked to your TETRA network? (Eavesdropping, attempted intrusion, intrusion, interference, etc.)

5. Follow-up question to answers to the above: Have you taken any protective measures connected to the network being mission-critical/security incidents/threats?

6. Is there any monitoring of the network? Where/how?

7. Is there something you would like to know about the network that you don’t?

8. Do you feel that you have sufficient skills to maintain the security you need?

9. Do you store information about incidents somewhere (i.e. is there a possibility to track incidents)?

10. If there were an incident in the network, would it be reported? If so, where?

11. Do you know where your responsibility starts and ends, i.e. what you are responsible for and what others are responsible for?

1. What would be the consequences if someone unauthorized could:

   • follow and locate users in the network (i.e. if someone is active or where they are)?

   • eavesdrop on calls and data transmitted in the network?

   • make unauthorized transmissions in the network, i.e. messages or data?

   • prevent selected users from receiving or transmitting messages/calls?

   • prevent multiple users, e.g. in a certain area, from receiving and transmitting messages/calls?

2. Follow-up question to answers to the above: Does time play any role: short/long time?

3. Are there any other values or risks that you associate with the system?

1. Summarize what we have talked about:

   • the network in general;

   • threats;

   • security incidents;

   • competence and knowledge;

   • scenario questions.

2. Is there something you feel you have forgotten or is there a question you think I have asked?

3. Do you have any additional comments or questions?

4. Would you like to see a transcript of the interview? If so, how do you want it?

5. Many thanks for your participation. Your participation is important for research. This type of data cannot be obtained in any other way. I will make sure you get a copy of the research paper.

6. Hand over business cards and contact information.

Source(s): Authors’ own work.