The unauthorized micro-payment hacking incident at KT should be interpreted as an eavesdropping incident on the national backbone communications network.
The National Future Strategy Technology Forum of the National Assembly was held on the 13th at the National Assembly Members' Office Building in Yeouido, Seoul, hosted by Rep. Choi Hyeong-du of the People Power Party and Rep. Kim Han-gyu of the Democratic Party of Korea, under the theme "K-security in crisis, Korea targeted by global hackers." On the day, Kim Yong-dae, a professor in the School of Electrical Engineering at KAIST, said, "Even if you follow the standards and recommendations of the 3rd Generation Partnership Project (3GPP) and the Telecommunications Technology Association (TTA), in hacking through femtocells (small base stations), text messages can be encrypted but call contents are not encrypted," making this claim.
The public-private joint investigation team operated by the Ministry of Science and ICT announced on the 6th that from Aug. 1 last year to Sept. 10 this year, the personal information of 22,227 KT subscribers was leaked through 20 illegal femtocells, and 368 people suffered micro-payment damage totaling 243.19 million won. Femtocells, ultra-small base stations, are understood to have been illegally abused as the means of the KT unauthorized micro-payment crime.
In the KT hacking incident, the information the hacker needed for unauthorized micro-payments was name, phone number, date of birth, and ARS payment authentication number and text authentication. Professor Kim noted, "From a hacker's perspective, obtaining personal information is not difficult, but the next information likely had to be obtained by listening to call contents." He said, "Originally, a femtocell device must be plugged into a LAN cable, but in experiments, we found that if you attach a femtocell to an egg (portable Wi-Fi router) and an auxiliary battery, you can carry it anywhere and eavesdrop," adding, "We reported this to the three telecom companies 10 years ago."
The KAIST research team involving Professor Kim conveyed to the three telecom companies in 2014 that if a hacker compromised a femtocell, there were multiple security vulnerabilities, including eavesdropping on calls. He also released the video that had been shared with the three telecom companies that day.
Since 2016, KT has distributed 256,000 femtocells, and all of those devices used a single certificate, creating a structure in which illegal femtocells could easily access KT's internal network. Professor Kim said, "KT managed hundreds of thousands of femtocells with a single authentication key, which was cracked using equipment brought from China, enabling eavesdropping," adding, "If one intended to, illegal femtocells could attach to KT's network as much as they wanted." He said, "However, some within that organization went rogue and tried to make cash by doing micro-payments, which exposed the incident," expressing concern that "in the end, this could not have ended as a simple micro-payment case."
Warnings about structural problems have continued since the KT hacking incident. According to materials the National Intelligence Service (NIS) recently submitted to Rep. Choi Min-hee of the Democratic Party of Korea, chair of the National Assembly's Science, ICT, Broadcasting and Communications Committee, after confirming in September that encryption of text messages (SMS) was being disabled on some KT smartphones, it officially notified KT and the Ministry of Science and ICT, judging it to be critical information that could threaten national cyber security. The NIS identified a vulnerability in which text communications are not protected by end-to-end encryption, allowing decryption on intermediate servers.
Professor Kim raised legal issues regarding why Korea has become a target for hackers. Article 48, Paragraph 1 of the Act on Promotion of Information and Communications Network Utilization and Information Protection currently states, "No one shall intrude into an information and communications network without proper access authorization or by exceeding granted access authorization." He said, "Hackers find vulnerabilities in corporate networks and attack them, but when I asked the Korea Internet & Security Agency (KISA) whether it should find and report network vulnerabilities to corporations, they said it was impossible because it would violate Article 48, Paragraph 1," adding, "Because of that provision, Korea is vulnerable to hacker attacks."
On the day, Kim Jae-ki, head of the S2W Threat Intelligence Center, gave a presentation under the theme "Expanding cyberthreats: from virtual worlds to industrial sites," warning of hacking attacks via subcontractors. Kim said, "As corporations are increasingly collaborating with external vendors rather than handling everything in-house to conduct their work, the exposure to risks in management and security has grown, making collaboration necessary for response as well."
Kim advised that, as a matter of policy, security requirements related to sensitive and personal information protection should be clearly specified in contracts, and when establishing an incident response plan, the procedures for responding to incidents and the scope of responsibility should be clearly defined. As practical measures, he proposed maintaining security through continuous security audits and monitoring of leaked information; regular inspection and evaluation of security measures by trustees; and education and training related to personal information protection for trustee employees.