Despite 5G’s promising features, when it comes to PMR (Private Mobile Radio or Professional Mobile Radio) networks, where the TETRA (Terrestrial Trunked Radio) and P25 (Project 25) standards are prominent, the Digital Mobile Radio (DMR) standard is still a good solution to adopt as a professional two-way radio for wireless communications within Industry 4.0.
DMR is an open standard for digital radio communications developed by ETSI (European Telecommunication Standards Institute) and designed to offer voice, data and other complementary services; it replaces the analogue PMR model, which currently has certain limitations and problems.
It is used widely worldwide in industry in everything from simple walkie-talkies to mission-critical systems, covering mainly commercial users requiring short range coverage; professional users engaged in activities such as transport, construction, manufacturing, private security and others, as well as the amateur radio sector.
The benefits of DMR over analogue models include:
- Efficient use of the electromagnetic spectrum.
- High-quality audio, with improved noise suppression.
- Lower infrastructure cost coupled with easy infrastructure roll-out.
- Multiple voice and data applications (text messaging, GPS, call control, SCADA, telemetry...).
- Improving the autonomy of portable devices.
Several manufacturers, such as those listed by the DMR Association, endorse this standard, hence long-term supply, support and product development, as well as interoperability as regards basic functions, are guaranteed.
The technical specifications making up the DMR standard are set out according to the following standards: ETSI TR 102 398 (General System Design), ETSI TS 102 361-1 (DMR air interface protocol), ETSI TS 102 361-2 (DMR voice and generic services and facilities), ETSI TS 102 361-3 (DMR data protocol) y ETSI TS 102 361-4 (DMR trunking protocol).
Its most notable technical features include:
- Radio transceivers are designed to operate in the VHF (Very High Frequency) [30MHz - 300MHz] and UHF (Ultra High Frequency) [300MHz - 1GHz] radio frequency (RF) bands; each country regulates the allocation of frequencies by service.
- The RF channel bandwidth is 12.5 kHz, which allows the equivalence to two 6.25 kHz channels, with a transmission rate of up to 9.6 Kbps and variable power.
- The method used to access the medium is Time Division Multiple Access (TDMA), according to which an RF channel is divided into two alternating timeslots, which provides two independent communication paths. The timeslots last 30 ms, are grouped into frames and require synchronisation in their transmission.
TDMA medium access method with two independent conversations over channel 1: one over timeslot 1 between bravo-alpha and one over timeslot 2 between delta-charlie.
- The transmitted RF signal has frequency shift keying (4-FSK) with good noise immunity.
- It can support from simplex to duplex For further details, refer to table 5.2 of ETSI TR 102 398.
Schematic diagram of DMR mobile station internal processes and representation of 4FSK modulation.
- To compress the digitised voice signal to fit into the 12.5 kHz narrow band, a voice coder (vocoder) is used, with the AMBE+2, or another that is compatible with it; this is what it has been agreed to use to ensure interoperability of the equipment.
- DMR or operation level generation:
- Tier I or Direct Mode Operation (DMO). Communication is peer-to-peer, no infrastructure is involved, and no licensed frequencies are required. Therefore, performance is low, mutual coverage between radios is required, it is limited to the 446 MHz band and is not based on TDMA but on 12.5 kHz FDMA (Frequency Division Multiple Access).
- Tier II. Communication requires licensed frequencies and may or may not be supported by network infrastructure (peer-to-peer), which allows for the use of IP-based network interfaces. Coverage can reach remote areas.
- Tier III or trunking mode. Communication also requires licensed frequencies and network infrastructure. Moreover, coverage can be extended to remote areas and offers all possible DMR features. Unlike Tier II, in which each individual group of users has a fixed channel on which to communicate, Tier III automatically and dynamically assigns the communication channel from a set of pre-assigned channels based on availability.
- It supports voice (calls) and data services, the latter based on the Packet Data Protocol (PDP), which supports both IPv4 and IPv6 Internet protocols. Transmission with these services may be unicast, multicast or broadcast. An overview of all services broken down by tier is in tables 6.1 and 8.1 of ETSI TR 102 398.
Schematic of a DMR network - tier I (left) and a tier III multi-site network (right). Source: Motorola.
All devices in a DMR network, which will normally integrate an IP subnetwork due to the PDP protocol, have a numerical identifier (ID) acting as an IP address and shall be the ones that go to form a communications network, such as servers, controller nodes, gateways, etc. Users will access the network through repeaters (base station) or hotspots, using their mobile station (portable radio or mobile radio) or computer (dispatch solution). Gateways will enhance the scalability of the network, allowing it to connect to networks based on other protocols such as PSTN, VoIP, XMPP, etc. The three most widely-used DMR networks worldwide are: DMR-MARC (Motorola), DMRplus (Hytera) and BrandMeister.
The integrity, confidentiality and availability of information that is transmitted through DMR systems may be compromised when they face threats, such the following:
- Environmental conditions. They cover aspects such as atmospheric phenomena affecting the propagation of RF waves, the line of sight between radio transceivers or the limit area of coverage offered by these transceivers.
- Interference. All unwanted frequencies overlapping the frequency band used, resulting in degradation of communication and preventing proper data listening or receipt.
- If they are not intentional, they may occur due to the presence of other communications in the same band or, for example, the presence of noise in the environment where the voice message is sent (voice is a wave with a characteristic frequency).
- As regards intentional interference, the most important is frequency jamming using specially-designed equipment.
- Human factor. This threat lies in the risk of making mistakes machine settings, since, for example, a mobile station requires advance programming of its codeplug (configuration file) to be used.
It also covers the possible existence of an insider in the company who may compromise the DMR network, and also the risk of theft or loss of personal radio equipment, which could end up in the hands of a malicious user.
- Vulnerabilities in the firmware of the DMR equipment.
- Interception of the communication (sniffing). If a user knows the transmission channel, has a compatible vocoder or decoder software and has tools to break possible further security measures, they could access the information being transmitted, discover its origin and destination, whether or not it is encrypted, etc. Frequency scanners are key to this.
- Data injection through replay attacks, which would be successful as long as the forwarded information frame is valid, either voice or data.
- Sending remote OTA (Over the Air) commands that alter the operation or cause denial of service in devices.
- Spoofing of equipment and DMR signals after collecting the information needed about the network and the transmission, using devices such as an SDR. Thus, a receiver is tricked with false, confusing or erroneous information.
- Brute force attacks against possible encrypted transmissions.
It should be noted that, because IP sub-networks are common in DMR networks, systems may also have to cope with threats specific to these IP networks, such as denial of service (DoS) attacks. In a cyber-attack, it is common for cyber criminals to combine various techniques.
To address some of the foregoing potential threats, DMR systems include the following cybersecurity measures:
- Encryption. There are up to four different levels of end-to-end digital encryption (E2EE) and asymmetric key encryption for communication between mobile stations and repeaters or between repeaters and servers, which vary by manufacturer:
- Basic: the least robust, it is based on either scrambling operations, using 10, 32 or 64-character keys, or on the choice of a non-customisable key from a predefined set.
- Enhanced: 40-bit ARC4 (RC4) or 56-bit DES algorithm.
- Advanced: 128-bit or 256-bit AES algorithm.
- Custom: proprietary algorithm stored on a SIM or SD card.
Moreover, it is possible to encrypt not only the message, but also everything involved in the call set-up or the data transfer from when the call is made until it is received. This is known as Over-the-Air encryption, which makes it possible to, for example, protect the call type and identification or prevent unauthorised access to the network through its own repeater.
The TEA (Tiny Encryption Algorithm) is also available for communication between dispatch solutions and servers.
- Error correction. The Cyclic Redundancy Check (CRC) and Forward Error Correction (FEC) methods, which are implemented in the encoding and decoding stages, make it possible to detect errors in the transmission and correct them automatically. This is true of the human voice reconstruction achieved by the vocoder algorithm when dealing with degraded transmissions due to a lack of signal or noise (always within a limited margin of error).
- Authentication. The procedure is based on a challenge-response method, according to which a random number (challenge) is sent in a protocol data unit (PDU) to the machine being authenticated; it calculates a response using the ARC4 key flow generator together with an embedded key provided by its manufacturer. Finally, the response is compared with the expected response and, if there is a match, the authentication was successful. Other owner authentication procedures exist.
On the other hand, authentication is also required to access the devices’ configuration interface or start them, with the option to block them after exceeding a maximum number of attempts.
- Registration. Each device will be registered with a system identity code (SYScode) that will determine where in the network it is active. The SYScode check is a parallel procedure to gain access to a DMR network.
- Electronic Serial Number (ESN) validation. Each device has a unique and unmodifiable number that has to be provided during its registration in the DMR network databases. It can be used to manage its access to the DMR network, and thus to whether it is legitimate or not. Disabling the ESN denies access. This measure is often used in the event of theft or loss.
- Stun-or-kill mechanisms to prevent unauthorised use of a personal device. Stun inhibits all of the devices’ functions, preventing it from receiving or transmitting on any channel. Kill disables all functions permanently and can only be reactivated after reprogramming the device in question.
- Encrypted VPN tunnelling to protect IP links.
- Firmware update of DMR equipment.
The recommended best practice is to consider all security measures provided by both the DMR standard and the manufacturers. It is also recommended that firewalls, IDS/IPS systems and SIEM systems be implemented for IP subnets.