Attacking O-RAN Interfaces: Threat Modeling, Analysis and Practical Experimentation

A new generation of open and disaggregated Radio Access Networks (RANs) enabling multi-vendor, flexible, and cost-effective deployments is being promoted by the Open Radio Access Network (O-RAN) Alliance. However, this new level of disaggregation in the RAN also entails new security risks that must be carefully addressed. The O-RAN Alliance has established Working Group 11 (WG11) to ensure that the new specifications are secure by design. Acknowledging the new security challenges arising from the expanded threat surface, O-RAN WG11 provides procedures to identify threats and assess and mitigate risks. Reportedly, as of 2024, 60% of found risks are related to Denial of Service (DoS) and performance degradation. Therefore, in this work, we analyse a vanilla O-RAN deployment and evaluate the endurance of different O-RAN interfaces under attacks in scenarios involving DoS and performance degradation. To do so, we use a reference O-RAN open source deployment to report, risks found, weak points, and counter-intuitive recommended design choices for both control plane (A1, E2, and F1-c) and user plane (F1-u) interfaces. Consequently, we map O-RAN WG11’s threat model and risk assessment methodology to our considered DoS and performance degradation scenarios, and dissect existing threats and potential attacks over O-RAN interfaces that may compromise the security of O-RAN architectural deployments. Finally, we identify mechanisms to mitigate risks and discuss approaches aimed at improving the robustness of future O-RAN networks.