Monday, November 22, 2021

O-RAN entails 'medium to high' security risks according to study released by German government agency: paradigm shift needed to avoid 'security debacle'

In a recent post on O-RAN I discussed European concerns over the contemplated standard for the modularization of mobile network infrastructure being driven by geopolitical objectives (America first, Chinese bogeyman) rather than technical merits. The situation appears to be a lot worse than that. Today one of the world's most well-respected and independent IT security authorities, the German Bundesamt für Sicherheit in der Informationstechnik (BSI; official English title: Federal Office for Information Security) released an 86-page study (PDF; in German) that must give some people not only food for thought but possibly even pause.

The government agency's risk assessment--to be precise, the BSI commissioned and funded the study, and did not influence the researchers' independent work--focused on the following objectives: confidentiality (of data), integrity, accountability, availability, and privacy. The study took three different stakeholer angles: that of a user of a 5G network, that of an operator of a 5G network, and that of the state (i.e., the public interest). In light of the lack of specificity of the current version of the O-RAN specs, the risk assessment relates to a "worst-case perspective" in which none of the optional security measures have been implemented and a "best-case perspective" based on the assumption of all optional security measures actually having been put in place.

The renowned security experts took into consideration that the leverage of potential attackers varies greatly. Therefore, they evaluated how much damage could be done by a totally external attacker, a 5G user, an "insider", a cloud operator, and a RAN operator.

Here comes my translation of the two final and most important paragraphs of the executive summary (all emphases in original):

"As a result of the risk assessment, it has been identified that medium to high security risks emanate from a multiplicity of the interfaces and components specified in O-RAN. This comes as hardly a surprise as the current development process of the O-RAN specifications is not guided by the paradigm of 'security/privacy by design/default' and the principle of multilateral security (minimal trust by each participant [in the other components]) has not been heeded.

"As a result of conducting this risk assessment, various possibilities for improvement with respect to risk mitigation have been identified. Those are stated as recommendations toward the end of the report. It is key for security improvements to be incorporated into the specification now in order to avoid this time around a security debacle like the one that occurred in the development of 3GPP standards."


I'll read the study in detail, but I did want to share the (unfortunately bad) news right away. It is known in the telecommunications industry that the European Commission is also performing a risk assessment, and it will be interesting to see what comes out of that effort. At first sight, the BSI-commissioned analysis is thorough and probably reliable. There really do appear to be serious issues, but again, I'll need some more time to digest the study.

Share with other professionals via LinkedIn: