Security Testing The O-RAN Near-Real Time RIC & A1 Interface

Security Testing The O-RAN Near-Real Time RIC & A1 Interface

연구 분야: Analysis

학회: WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Open-Radio Access Network (O-RAN) is the next evolutionary step in mobile network architecture and operations and the Near-Real Time RAN Intelligent Controller (Near-RT RIC) plays a central role in the O-RAN architecture as it interfaces between the orchestration layer and next generation eNodeBs. In this paper we highlight the architectural weakness of a centralized controller in O-RAN by first drawing parallels with the Software-Defined Networking (SDN) controller. We then present a two part security evaluation of two open-source Near-RT RICs (μONOS and OSC), focused on the newly introduced A1 interface of the Near-RT RIC. In the first part of our evaluation, we evaluate the supply-chain risks of μONOS and OSC using off-the-shelf open-source dependency analysis and configuration file analysis tools. In the second part, we present our run-time security testing of the A1 API implemented by μONOS and OSC using our custom O-RAN A1 Interface Testing Tool (OAITT). Our supply-chain risk analysis shows that both the open-source Near-RT RICs we evaluated have multiple dependency risks and weak or insecure configurations. We identified 211 and 285 known dependency vulnerabilities in μONOS and OSC respectively of which 82 and 190 dependencies were rated as high CVSS respectively. The A1 interface contributed to a majority of the dependency risks in both Near-RT RICs. From a security misconfiguration perspective, we identified issues concerning access control, lack of encryption and poor secret management. Our run-time testing of OSC and μONOS revealed the following. First, both Near-RT RICs lack TLS for the A1 interface. Second, malicious Non-Real Time RAN Intelligent Controller (Non-RT RIC)s or rApps that reside in the Non-RT RIC could tamper with policies installed in the Near-RT RIC which can impact the availability of the O-RAN. Third, the A1 protocol could be exploited by Non-RT RICs for covert communication via the Near-RT RIC. Fourth, the A1 implementation by μONOS was vulnerable to degradation of service attacks (10-60s response time for GET requests) and a denial of service attack, the latter has been ethically reported and a fix is underway.