It has emerged that the "vendor authentication key" required for small base stations (femtocells) operated by KT to connect to the internal core network used a single, identical key, leaving it vulnerable to security risks. The femtocell, pointed to as the means of the recent unauthorized small-sum payment incident at KT, is an ultra-small base station that provides communications within a 10-meter radius. In theory, if a hacker obtained just one femtocell vendor authentication key, the person could have gone in and out of KT's core network at will. This shows that there was a structural flaw in the security authentication procedure beyond a matter of management.
According to the office of Kim Jang-kyom of the People Power Party, a member of the National Assembly's Science, ICT, Broadcasting and Communications Committee, on the 21st, KT used a single, universally applied "vendor authentication key" mounted inside femtocell devices rather than issuing one per product. KT's femtocell is a product jointly developed by KT and Korea-based telecom equipment company Innowireless. Since 2016, 256,000 units have been distributed and 189,000 are currently in operation, and all of those devices used the same vendor authentication key.
A vendor authentication key is an essential step to connect to the internal core network. The method by which femtocells operated by KT connect to the internal core network, the carrier's central server, is as follows. The KT femtocell contains the vendor authentication key in software form, and when it connects to the KT core network, the authentication server issues a certificate to each femtocell. After that, the femtocell's core network connection is made using the issued certificate.
If a hacker had stolen a vendor authentication key capable of connecting to KT's internal core network, the structure would have allowed even an illegal femtocell to connect. This is because as long as the vendor authentication key is present inside the femtocell, KT's authentication server recognizes the device as a legitimate femtocell and issues a connection certificate.
Femtocells are installed at specific locations to eliminate dead zones. Therefore, if the equipment is legitimate, any unauthorized use must be immediately blocked upon detection. In the case of LG Uplus, which uses products from the same manufacturer, an individual number is assigned to each product's certificate (IPsec key) and managed in encrypted form.
On the 17th of this month, KT announced at a briefing titled "Announcement of comprehensive investigation results related to small-sum payment damage" that it had found 16 additional illegal femtocell IDs, bringing the total to 20.
Previously, KT acknowledged that it had effectively allowed connections to the internal network without re-verification by setting the valid authentication period for femtocell certificates at 10 years. This revealed a critical vulnerability whereby, even if a femtocell was discarded or lost, the system still recognized it as a legitimate device, and the reason this was even easier was that all femtocells used the same vendor authentication key. Belatedly, KT shortened the validity period of femtocell certificates to one month and took steps to require reissuance of certificates when reconnecting after a reboot, but it appears difficult for the company to avoid responsibility for poor femtocell management.
KT CEO Kim Young-shub appeared at a "hearing on the large-scale hacking incident and consumer damage" held at the National Assembly on the 24th of last month and, when asked how the company manages femtocells, said, "It is true that management was poor," and added, "Recovery management had also been poor, and after this incident we took steps to prevent (illegal femtocells) from attaching to the network."
Lawmaker Kim Jang-kyom said, "It is difficult to accept as a matter of common sense that KT used the same authentication key for hundreds of thousands of femtocells," and added, "This is not simply poor management but an abandonment of the carrier's basic duty of core network management. The government and carriers should take this incident as an opportunity to reexamine the entire core network authentication system and immediately implement user protection measures."