Leon Janzen, Lucas Becker, Colin Wiesenäcker, and Matthias Hollick, Technical University of Darmstadt (TUDa)
Indoor base stations are expected to play a crucial role in 5G and beyond, as they are required to provide millimeter wave connectivity in buildings. However, they are a prime target for attacks, as they are difficult to secure against physical access attacks and highly connected within the RAN, especially for Open Radio Access Network (O-RAN) indoor base stations. In this work, we develop and introduce a threat model for indoor base stations. We conduct a security analysis of a proprietary O-RAN Radio Unit and present four novel vulnerabilities. Further, we analyze the Radio Unit regarding its hardware, software, and services, highlighting deviations from the O-RAN standards. The vulnerabilities we discover lead to remote code execution on the Radio Unit, highlighting security issues arising from the novel attack surface introduced by indoor base stations.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
This content is available to:
author = {Leon Janzen and Lucas Becker and Colin Wiesen{\"a}cker and Matthias Hollick},
title = {Oh No, My {RAN}! Breaking Into an {O-RAN} 5G Indoor Base Station},
booktitle = {18th USENIX WOOT Conference on Offensive Technologies (WOOT 24)},
year = {2024},
isbn = {978-1-939133-43-4},
address = {Philadelphia, PA},
pages = {101--115},
url = {https://www.usenix.org/conference/woot24/presentation/janzen},
publisher = {USENIX Association},
month = aug
}
