RAN-TESTER UE
A Novel Approach for Open RAN Security Testing
Summary
This project aims to develop a software-defined tester UE for 5G and open RANs, focusing on security testing. The soft T-UE will be compatible with commercial off-the-shelf software radio hardware, supporting both standardized and custom test. Deliverables include a software repository, documentation, benchmarks, and testing scripts, offering an open-source solution to enhance security and prevent breaches.
Development Roadmap
The project consists of three phases. Phase 1 focuses on establishing the foundations for the testing methods R&D. In Phase 2, the team will develop and maintain software, integrate hardware, conduct sample testing, and collect data. Phase 3 aims to build and support a community, engage with industry and regulators, and promote widespread adoption and community-driven extensions of the testing method. For a detailed timeline of major tasks, please refer to the timeline map.
Types of Attacks
1) Jamming attack: It is an intention disruption of a wireless signal by transmitting a strong interference on the same frequency, blocking or degrading the intended communication.
Metrics collected: inability of UEs to connect, low channel quality, gNB overload/crash, UE detach
2) Random Access Channel (RACH) Flooding attack: This attack targets the RACH preamble message, which is used for the initial connection and communication between the User Equipment (UE) and the gNodeB.
Metrics collected: inability to register new UEs to the RAN, UE disconnect, RAN crash/freeze, timing issues with existing UEs
3) Radio Resource Control (RRC) Fuzzing attack: This attack exploits the potential vulnerabilities in the gNB’s handling of RRC messages, potentially causing system malfunctions or unexpected behavior.
Metrics collected: gNB overload/crash, detach existing UEs, discovery of buffer overflow vulnerabilities
