[Editor's note] Unauthorized small-amount charges keep hitting KT subscribers. The scheme, driven by a newly identified hacking method, involved an unregistered base station accessing the network to induce payments. We examine the structural vulnerabilities in telecom infrastructure security that caused this incident and consumer responses to prevent further damage.
As anxiety spread over KT's recent unauthorized small-amount charge incident, the government is expanding its probe nationwide with the three mobile carriers. But among the three, only KT was found to have connections from "unregistered base stations (illegal ultra-small base stations not installed by KT, commonly called ghost base stations)." Inside and outside the telecom industry, some say KT was the only one hit by small-amount payment hacking because of its reliance on a vulnerable Short Message Service (SMS) delivery method and on ultra-small base stations (femtocells).
A femtocell is an ultra-small base station that provides communications within a 10-meter radius. They are often installed where signals are weak. If a femtocell is hacked, it is known that text messages or authentication codes of users connecting to KT's network nearby can be stolen.
◇ Vulnerable text delivery method… among carriers, only KT decrypts at the base station
As of the 12th, according to the telecom industry, questions are being raised over whether KT's vulnerable text message delivery method became a target for hackers.
Typically, sending a text message from a mobile phone involves two stages. The phone and base station segment is linked through the Air Network, and the base station to the mobile carrier's central server segment is connected through the Core Network. At KT, information is encrypted up to the ultra-small base station, the femtocell, but it is known that inside the femtocell the encryption is removed before entering the Core Network. If a femtocell is hacked or an unregistered base station connects to KT's network, data theft becomes easier.
By contrast, SK Telecom and LG Uplus use a method in which information remains encrypted from the Air Network through to the Core Network. Kim Yong-dae, a professor at the KAIST School of Electrical Engineering, said, "At SK Telecom and LG Uplus, the decryption stage runs on the user device, but at KT decryption occurs at the base station, which is a key difference," adding, "Both are technical standards, but in terms of responding to femtocell hacking, the SK Telecom approach is indeed safer."
◇ Among carriers, KT relies more on femtocells
Experts believe the KT unauthorized small-amount charge incident occurred through femtocell hacking. Some say KT became a hacking target because it relies heavily on femtocells. Among the three carriers, KT operates the most femtocells. According to the industry, KT operates 157,000 units, SK Telecom about 10,000, and LG Uplus 28,000 femtocells.
A telecom industry official said, "If existing femtocells were hacked, all 150,000-plus units would have to be inspected one by one. That would be an unprecedented situation," adding, "This is not a problem that can be solved by replacing a device or a USIM, so we also expect users gripped by anxiety to leave." Another telecom industry official said, "It seems the investigation is still underway, so they haven't even figured out how many femtocells have been breached or where they are," adding, "Because hacked ultra-small base stations are easy to install and remove, there is a possibility crimes could be committed while moving, which will heighten anxiety."
For now, it is unclear whether data theft occurred because existing femtocells operated by KT were hacked, or because hackers newly installed unregistered base stations and connected them to the network to steal information. Recently, KT reported to the Ministry of Science and ICT that there had been network access by unregistered base stations, but it has not yet been determined whether the hacking occurred only there.
Some also say it is easier to hack femtocells already operated by carriers. A cybersecurity industry official said, "If you hack a femtocell operated by a carrier, you don't need a separate authentication key value when linking to the carrier's central server, so hackers prefer it," adding, "Installing a new unregistered base station and connecting it to the network is a more difficult hacking method."
On the 10th, the Ministry of Science and ICT announced a measure to block connections of new ultra-small base stations to prevent additional hacking. But there are concerns that such measures would be ineffective if existing femtocells are exposed to hacking. Professor Kim Yong-dae said, "At this point we cannot tell whether femtocells operated by KT were hacked or only the unregistered base stations, commonly called ghost base stations, were hacked, so it is too soon to be reassured."