KT said that the illegal ultra-small base stations identified as the cause of the unauthorized small-payment incident are presumed to be devices that had previously been consolidated to the KT network.
KT held a press conference on the unauthorized small payments at its Jongno-gu, Seoul, headquarters on the 11th and gave this answer when asked about how the illegal ultra-small base stations were installed.
On this day, KT confirmed the possibility that the personal information of 5,561 users was leaked through the illegal ultra-small base stations identified as the cause of the unauthorized small-payment incident and reported it to the Personal Information Protection Commission. The following is a Q&A with KT officials.
-Although you were notified by police investigators on Sept. 1, why did you not inform customers via the website or text notice.
Even if a notice comes from an investigative agency, personal information does not normally come over, and we analyze it through VOC (voice of customer) received at the customer center. We should have been alert to the large number of occurrences, but although it was not typical, we identified it as a smishing case.
As cases accumulated, we judged the situation to be serious and took provisional restrictive measures on Sept. 5. We sincerely apologize for not being able to respond even a little faster and for causing concern to customers.
-Are you saying that all 5,000-plus IMSI were leaked through the illegal ultra-small base stations, or was there another route? Also, should this be seen as accessing the KT network for criminal purposes to steal IMSI information?
The 5,561 leaked IMSI went through the illegal ultra-small base stations. We described this as "circumstantial" because it went through systems we cannot control. As for criminal intent, we are closely cooperating with the police investigation and KISA's inspection, so we can speak to that depending on the progress of the investigation.
-My understanding is that IMSI encryption is standard. Was it not encrypted?
The 5G security architecture does not use IMSI. The system where the problem occurred this time is LTE. In LTE, when a customer turns the device off and back on, the device sends the IMSI to the base station, and the central server issues a temporary identifier called GUTI, after which communication proceeds while moving between base stations.
Among the roughly 19,000 people exposed to the illegal base station signals, except for 5,000-plus, the rest had only their GUTI exposed and not their IMSI. There was no 3G damage.
-There are suggestions it could have been an inside job at KT. And has the physical existence of this ultra-small base station been confirmed?
There is nothing confirmed indicating it was internal to KT. We can infer that the installer has considerable knowledge related to telecommunications, but whether it was an insider has not yet been confirmed. However, we did not see the physical device of this ultra-small base station; we inferred it during the process of blocking after reviewing base station IDs in the billing records of customers who suffered small-payment damage.
-Even if an illegal base station is built, it should have to connect to the KT network and go through authentication. How could it have been consolidated so easily?
We presume it is equipment that had previously been consolidated to our network. Once the physical device is secured, we will be able to know the exact process.
-Did existing equipment break away and get illegally reattached, and you still failed to manage it?
After searching the equipment ID, we found it did not actually exist in our management system. The ID had been deleted, and we are analyzing the possibility that the product was spoofed. For equipment actually in operation, IDs and other management systems are established, and we have already taken measures to prevent equipment not in the management system from being activated. We will refocus on this as a management issue.
-Please explain in detail the cause of the small-payment damage.
For small payments to be made, personal information such as name and resident registration number must be entered, and to our knowledge that information cannot be leaked from illegal base stations, so we are also waiting for the investigation results.
-Where did the difference arise between those who suffered small-payment damage and those who did not?
The 5,000-plus IMSI exposures do not indicate actual billing attempts; they include everyone who captured the signal of the illegal ultra-small base stations even once.
-There are many secondary victims, such as unauthorized logins to KakaoTalk or Karrot. Are you aware?
We are aware of cases saying, "After waking up, KakaoTalk was logged out." However, unauthorized login cases have not been confirmed, so we will quickly check. We will also strengthen other access restriction features to prevent such incidents.
-If even ARS verification was bypassed, does that mean there is a gray area in security?
It is true that we also do not understand that part. ARS also requires entering a name or resident registration number for a verification text to be sent, so we see it as separate from the illegal ultra-small base stations.
-Do you plan to waive termination fees for customers who want to change carriers?
We will include that in the compensation plan and review it proactively from the customer's perspective.
-On Jul. 7, you said you would strengthen security by spending about 1 trillion won over five years. In light of this incident, do you plan to increase that amount?
We will consider it further. However, 1 trillion won over five years is in fact a very large amount, and such large-scale investment does not happen immediately. We view this as a long-term strengthening of the security system, and in light of this incident, we will adjust the investment priorities.