Enhancing Open RAN Security

A Deep Dive into Vulnerability Analysis and Testing

The telecommunications industry is undergoing a transformative shift with the advent of open RAN, a concept that emphasizes interoperability and standardization of Radio Access Network (RAN) elements. As this evolution takes place, ensuring the security of open RAN becomes paramount. In the pursuit of this objective, we sat down with postdoctoral researcher Dr. Kashyap Thimmaraju to discuss the research that he and his colleague Christian Werling from the Security in Telecommunication chair at TU Berlin are leading through an i14y Lab supported project to evaluate and enhance the security aspects of open RAN.

A Deep Dive into Vulnerability Analysis and Testing

Project Overview and Goals

Thimmaraju, working under the guidance of Prof. Dr. Jean-Pierre Seifert, outlines the core objectives of the project. Their primary focus is on evaluating the security of open RAN (architecture, software and hardware), designing and developing automated security testing tools, and integrating these tools into the broader open RAN ecosystem.

Unveiling Vulnerabilities in the NRT RIC Component


Exposing vulnerabilities in the Near-Real-Time RAN Intelligent Controller (nRT-RIC) components is an important part of this research. Thimmaraju used a two-pronged approach, involving the static analysis and run-time testing of open-source nRT-RIC implementations (OSC and micro ONOS). The latter led to the development of the O-RAN A1 Interface Testing Tool (OAITT). OAITT is the first open-source tool available to the O-RAN community for security and performance testing of the A1 interface and it revealed the following critical vulnerabilities:


  1. Absence of Transport Layer Security (TLS) in nRT-RICs compromises confidentiality and integrity.
  2. Lack of A1 terminator authorization mechanisms: leading to unauthorized policy and enrichment information access.


As a consequence of these vulnerabilities, the following may occur:


  1. Potential for inconsistent network views in the controller. 
  2. Potential fingerprinting of nRT-RICs based on response times.
  3. Covert channels between nonRT-RIC and nRT-RIC.


Another issue detected was the potential of denial of service attacks on nRT-RIC via the A1 interface.

Open Source Contributions and Collaborations

Thimmaraju emphasizes the commitment to open-source principles, stating that their security testing tools will be available to the public in various forms, including source code, data, vulnerability disclosures, technical reports, and academic publications. This commitment extends to the OAITT, empowering the O-RAN software community, vendors and operators with a tool for security testing.


Impact and Future Directions


The significance of their work lies in its proactive approach to improving open RAN design. Thimmaraju highlights the ongoing collaboration with consortium partners to integrate those partners’ tools into various environments. Additionally, Thimmaraju and Werling are extending their research to the network virtualization stack, particularly focusing on virtual switches, a crucial component in end-to-end network slicing promised by 5G and beyond.


Addressing Vulnerabilities and Future Standardization


Acknowledging the importance of security in various interfaces, systems, and code, Thimmaraju explains how their work contributes to building a more secure framework for open RAN. Their findings stress the necessity of authorization mechanisms, secure code development, and the relevance of Software Bill of Materials (SBOMs) in enhancing security.

Collaboration with O-RAN Alliance and the i14y Lab


Thimmaraju reveals that their research has caught the attention of the O-RAN Alliance, resulting in the identification and resolution of authorization issues in the A1 interface specification and the introduction of a new threat in the O-RAN Security Threat Modeling and Risk Assessment. Moreover, their OAITT tool, once open-sourced, is envisioned to be utilized by the i14y lab members, serving as a valuable resource for the open RAN community.


In conclusion, Thimmaraju and Werling's research not only uncovers vulnerabilities but actively contributes to fortifying the security of open RAN. Through open-source tools, responsible reporting, and collaborative engagements, they are playing a pivotal role in shaping a more secure future for telecommunications. Their commitment to transparency and collaboration sets a commendable precedent for the industry as it navigates the complexities of open RAN.


If you would like to stay updated as this research unfolds, make sure to sign up for our newsletter. We plan to offer more information through the newsletter about this topic as time goes on, and we are even planning to host an event to further inform the industry of this development in the security of Open RAN.

i14y Lab Newsletter

Subscribe to the i14y Lab newsletter to get your monthly update on what’s going on in the lab, upcoming events, and other network disaggregation news.