OpenRAN – 5G hacking just got a lot more interesting

Karsten Nohl

Playlists: 'MCH2022' videos starting here / audio

Many 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors. Networks are rapidly changing to an "open" model that mixes software from specialized vendors, hosted in cloud environments.

The talk dives into the hacking potential of the technologies and new interfaces needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.

# Background #

Mobile networks are undergoing a paradigm shift from single-vendor monoliths to open cloud environments. Telco software now comes from different vendors and is installed on commodity hardware.

OpenRAN is introduced in many (not all) 5G network globally. Operators hope that OpenRAN will be more flexible and cheaper. But what about security?

To make building blocks interoperable, OpenRAN comes with new interfaces, with often unclear security properties. OpenRAN also adds complex IT technologies, which come with their own hacking issues. Many components are run on Linux in Docker containers on top of Kubernetes, adding multiple layers of possible hacking interference.

Mobile networks also become easier to test, including for pentesters with experience in web apps and cloud environments. This talk explores how we can best use this new accessibility.

# What we discuss #

*1. Technology overview.* Which technologies and interfaces are used in OpenRAN

*2. Baseline security.* Which security measures are part of OpenRAN, and which gaps are left open

*3. Pentest/hacking advice.* How do you test whether a network uses necessary security measures

*4. Tales of caution.* Vulnerabilities we found in real-world networks