This work identifies a data-driven black-box evasion attack threat against xApps/rApps in O-RAN architectures, stemming from their direct access to RAN data. To target machine learning models deployed in both near-real-time (Near-RT) and non-real-time (Non-RT) RIC components, we propose a novel black-box attack framework that jointly optimizes latency constraints and attack efficacy—integrating model cloning, input perturbation, universal adversarial perturbations (UAPs), and targeted UAPs, guided by fine-grained threat modeling for precise exploitation. We conduct the first systematic adversarial evaluation of multiple ML-driven RAN applications—including interference classification and energy-efficient control—on both a real-world O-RAN testbed and a high-fidelity simulation platform. Experimental results demonstrate that the attack significantly degrades application performance and network efficiency, while exhibiting strong robustness against state-of-the-art defensive mechanisms. Our findings provide critical empirical evidence and establish a new attack paradigm for securing O-RAN systems.

The impending adoption of Open Radio Access Network (O-RAN) is fueling innovation in the RAN towards data-driven operation. Unlike traditional RAN where the RAN data and its usage is restricted within proprietary and monolithic RAN equipment, the O-RAN architecture opens up access to RAN data via RAN intelligent controllers (RICs), to third-party machine learning (ML) powered applications - rApps and xApps - to optimize RAN operations. Consequently, a major focus has been placed on leveraging RAN data to unlock greater efficiency gains. However, there is an increasing recognition that RAN data access to apps could become a source of vulnerability and be exploited by malicious actors. Motivated by this, we carry out a comprehensive investigation of data vulnerabilities on both xApps and rApps, respectively hosted in Near- and Non-real-time (RT) RIC components of O-RAN. We qualitatively analyse the O-RAN security mechanisms and limitations for xApps and rApps, and consider a threat model informed by this analysis. We design a viable and effective black-box evasion attack strategy targeting O-RAN RIC Apps while accounting for the stringent timing constraints and attack effectiveness. The strategy employs four key techniques: the model cloning algorithm, input-specific perturbations, universal adversarial perturbations (UAPs), and targeted UAPs. This strategy targets ML models used by both xApps and rApps within the O-RAN system, aiming to degrade network performance. We validate the effectiveness of the designed evasion attack strategy and quantify the scale of performance degradation using a real-world O-RAN testbed and emulation environments. Evaluation is conducted using the Interference Classification xApp and the Power Saving rApp as representatives for near-RT and non-RT RICs. We also show that the attack strategy is effective against prominent defense techniques for adversarial ML.