Poisoning Bearer Context Migration in O-RAN 5G Network

Abstract

Open Radio Access Network (O-RAN) improves the flexibility and programmability of the 5G network by applying the Software-Defined Network (SDN) principles. O-RAN defines a near-real time Radio Intelligent Controller (RIC) to decouple the RAN functionalities into the control and user planes. Although the O-RAN security group offers several countermeasures against threats, RIC is still prone to attacks. In this letter, we introduce a novel attack, named Bearer Migration Poisoning (BMP), that misleads the RIC into triggering a malicious bearer migration procedure. The adversary aims to change the user plane traffic path and causes significant network anomalies such as routing blackholes. BMP has a remarkable feature that even a weak adversary with only two compromised hosts could launch the attack without compromising the RIC, RAN components, or applications. Based on our numerical results, the attack imposes a dramatic increase in signalling cost by approximately 10 times. Our experiment results show that the attack significantly degrades the downlink and uplink throughput to nearly 0 Mbps, seriously impacting the service quality and end-user experience.