Top 5 security risks of Open RAN

Open RAN enables interoperability among hardware, software, and interfaces used in cellular networks but also changes their attack surface.

5g cellular tower
Shutterstock / Alexander Yakimov

When a cell phone or other mobile device connects to the nearest cell tower, the communication takes place over something called a RAN -- a radio access network. From the cell tower, the signal is then routed to a fiber or wireless backhaul connection to the core network. RANs

RANs are proprietary to each equipment manufacturer. Open RAN, on the other hand, allows for interoperability that allows service providers to use non-proprietary subcomponents from a choice of vendors. That adds complexity to the network and changes the risk landscape for wireless communications.

What is RAN and Open RAN?

With 4G, the RAN signal was based for the first time on the Internet Protocol (IP). Previously, it used circuit-based networks, where phone calls and text messages traveled on dedicated circuits. RAN has also evolved to support video and audio streaming, and more types of devices, including vehicles and drones.

RANs have both hardware and software components. Hardware includes the cell phone antennas and radios, and the base band units located in the cell towers. The baseband units are typically custom made.

Historically, this has been the largest investment for a mobile network operator, according to Shamik Mishra, CTO for connectivity at Capgemini. Virtualization and cloudification have bypassed this part of the network, he says, mainly because of the dependence on a single hardware vendor and the accompanying embedded software, complex network management, and customized radio units.

In recent years, the radio network has become disaggregated, Mishra says. "Radio units and the baseband software are now split," he says, "which makes it possible to virtualize the RAN. This advancement also adds multiple vendors into the mix."

Now, Open RAN is the latest evolution in RAN, and involves interoperable standards for hardware, software, and interfaces. Plus, the Open RAN software is being developed as cloud native, says Mishra. If telecoms can deploy automation at scale, they'll be able to create intelligent network applications and create new use cases that weren't previously possible, he says.

Open RAN will also allow operators to share spectrum bands, says Erik Krogstad, senior national cloud architect at Sungard Availability Services. That will reduce the need for new spectrum licenses and will make it easier for companies to deploy their own 5G networks. "The technology also offers improved performance and redundancy, making it more reliable and efficient," he says. Open RAN will also allow telecoms to replace expensive proprietary hardware with white box servers and other standard equipment, saving them time and money.

In addition to the expected cost savings, there are other benefits, says John Carse, CISO at Rakuten Mobile and Rakuten Symphony. He is responsible for ensuring the security of Rakuten Mobile’s massive Open RAN installation, which is already deployed. "Network operators that choose RAN elements with Open RAN standard interfaces can avoid being stuck with one vendor’s proprietary hardware and software," he says.

With recent disruptions to the global supply chain, more options is a good thing, Carse says. Competition will also help spur innovation, he adds. Carriers will get visibility into the technology in the fronthaul -- that's the connection to the cell phones and other mobile devices. That can help assure confidentiality and integrity of these systems. "It's a move from 'security through obscurity' to 'zero trust,'" he says.

Security risks of Open RAN

However, experts have cautioned that there are potential security risks associated with Open RAN. This past May, for example, the European Union published a report on Open RAN security that listed potential concerns, including a larger attack surface, increased risk of misconfiguration, risk of impact on other network functions due to resource sharing, and immature specifications that are not secure by design. Open RAN could also lead to new critical dependencies in cloud components, according to the report.

In February, Germany's Federal Office for Information Security commissioned a report about Open RAN specifications as laid out by the O-RAN Alliance and it was particularly scathing. According to the report, the O-RAN specifications "provide few guidelines in the area of security" and "medium to high security risks can be identified in numerous interfaces and components."

That's because the current specification doesn't adhere to the principle of security by default, say the report's authors, and fails to take account of the principles of multilateral security -- assuming minimal trustworthiness of all stakeholders.

As a result of these and other concerns, Open RAN adoption has been slower in Europe than in Japan, says Krogstad. "These things are all being worked on to bring all countries on board to deliver this as a global uniform service," he says.

These are the top five risks for Open RAN.

1. Cloud is the top 5G security risk

Any new technology poses security risks. There might be vulnerabilities in the platform that aren't addressed with the first implementations, and it can take time to plug all the holes. But Carse says it's a misconception that Open RAN increases security risks. "Open RAN is simply more interfaces that are standardized," he says. Plus, the radio interfaces aren't the weak areas in telecom networks.

He agrees that the cloud is a big new risk factor. "The identified risk in 5G overall is the same risk that all industries are facing," he says. "The business is moving onto cloud using containers, Kubernetes -- and the software supply chain is moving to a continuous integration, continuous deployment operating model."

When attacks happen, they typically start with compromised credentials, vulnerable web servers, or compromised software, Carse says. "Once a network is breached, the hacker will move to escaping the container into the Kubernetes cluster and then moving from there to discover more services," he says. "Since 5G is the first telecom generation that is designed to be cloud native, it is foundational that telecom cloud implements IT industry best practices."

However, there are some concerns that Open RAN's more diverse vendor landscape and software supply chain will expand the potential attack surface. Plus, increased complexity makes it more difficult to secure systems.

2. Hardware vendors lag on security

Other than the risks associated with moving to cloud infrastructure, the single biggest cybersecurity challenge is getting the vendors to step up their game, says Carse. "My experience, working with our vendors, leads me to believe that they have never had their technology or operational processes scrutinized from a security perspective," he says. "They have very long cycles for addressing patching, hardening and proper use of standard operational security practices."

By comparison, other kinds of technology vendors are miles ahead. "The visibility that we get from virtualized and containerized implementations is eye-opening," Carse says. He recommends that telecoms working with Open RAN vendors be prepared to manage deliverables through proper contracts and service level agreements.

Another hardware-related issue that can pose additional challenges is that the design code used to create platform semiconductors is often proprietary, but must also be reviewed and verified, says IEEE senior member David Witkowski. "And even if it's open, the process of reviewing hardware design code is much more complex than reviewing software code," he says.

3. Open RAN increases complexity

Open RAN is new technology for the telecom industry, says Carse. "And it introduces several layers of complexity, especially in existing telco environments," he says.

First, the containerization and microservice architecture is somewhat different to what the industry is used to with RAN. "We also have complexity introduced through the increasing number of players in the ecosystem," Carse says. "The alignment on the specification and the technology to bring all of this together is still being developed. The Open RAN industry is fragmented with many competing implementations, and it still needs to consolidate. The complexity in any single implementation does present security risk."

It's not an impossible task, Carse says. "We have many non-telco practices and technologies that we can use to secure containers and microservice architectures," he says. For example, Rakuten Mobile is applying industry best practices to secure their own cloud native infrastructure. "We extensively use our own certificate authority," he says. "And we provide our RAN and network elements strong identity and access to the network using certificates. We have advanced secret management integrated with our container orchestrator for our network functions and applications running on our network. We have control of what is allowed to execute on our platform using signing and configuration policy controls. We continuously monitor for changes in our environment and are able to detect any execution in our runtime environment."

Rakuten Mobile also uses DevSecOps principles. It helps the telco identify potential problems in code logic, container vulnerabilities, and configuration issues. "And we have strong gating to assure that the problems are addressed before going into our production environment," Carse says.

4. Open-source code presents software supply chain risk

Open-source code is not necessarily more or less secure than proprietary software. In fact, most proprietary software is based on open source, but the fact that it is open to the public does mean that attackers can scrutinize it and look for weaknesses or try to inject malicious components.

"The entire mobile network can be at risk just because of a minor bug that’s already out in the open," says Andreas Grant, founder and network security engineer at Networks Hardware. "A low-level distributed denial of service attack might be enough to bring down an entire network if the configuration is not done right."

"I personally believe that open source is always a better option as it will bring in fresh eyes and products and the ability for the community at large to poke holes in them," says Andy Rogers, senior assessor at Schellman, a global cybersecurity assessment firm. "Which, at the end of the day, makes the technology stronger when it's patched and fixed.”

Some of the most secure platforms out there, such as OpenBSD, are open-source platforms, Rogers says. "Because everyone can poke and prod Open RAN, the problems can be found by a much larger community of hackers and security researchers," he says.

Still, there will be growing pains. "With any new technology, there will be holes," Rogers says. "Any time there is less control over the development of technology you will have serious problems with some of the products that are developed -- as we have seen with IP cameras. Check out Shodan for how exploitable they are."

5. Shared spectrum increases risk of disruption

With Open RAN, multiple operators can use the same bands, says Sungard Availability Services' Krogstad -- and this can pose a security risk. In the traditional model, cell companies moved voice and messages over closed, proprietary networks. "This allowed them to tightly control how their networks functioned and what devices could be used on them," he says.

Now that multiple operators can use the same spectrum, there's the risk of potential interference -- as well as the risk of threat actors stealing data or causing service disruptions. "Sharing infrastructure also makes it easier for attackers to penetrate networks," Krogstad says.

Open RAN security strategies

Governments have really stepped up to provide guidance on Open RAN security, says Rakuten Mobile's Carse. He singled out the EU Toolbox and the EU's report on the cybersecurity of Open RAN.

The European Union released the EU Toolbox of risk mitigating measures for 5G networks two years ago and the report on cybersecurity this past May. "Both of these documents highlight the challenges present in telecom moving forward," Carse says.

The industry, the vendor community, and government agencies are paying attention to Open RAN risks. Open RAN security issues are being discussed both inside and outside the standards bodies, says Carse. "However, I think these open, face-to-face conversations have been hampered by COVID-19 over the last two years," he says.

The industry is finally starting to have more face-to-face seminars, but Carse would like to see more government participation to help with making investments in research and development and to help address supply chain issues.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)