A claim has been raised on GitHub, a global developer community, that LG Uplus subscribers are exposed to voice phishing and smishing risks. LG Uplus was found to have linked phone numbers to International Mobile Subscriber Identity (IMSI) numbers and has been conducting a SIM swap service since on the 13th.
On the 15th, an anonymous user uploaded to GitHub a demonstration video that used an IMSI catcher acting as a fake base station to collect the IMSIs of LG Uplus subscribers and then find their phone numbers.
The user said, "I want to highlight a serious security situation related to LG Uplus, one of Korea's major telecom operators," adding, "They are currently offering a mass SIM replacement to all users due to a 'security issue,' but are not providing a substantive explanation. As a result, most users have no idea how vulnerable they are."
The user said that because LG Uplus set IMSIs to match phone numbers, a simple IMSI catcher would allow a hacker to collect the IMSIs (phone numbers) of all nearby devices. LG Uplus subscribers are exposed to targeted voice phishing and smishing, and if a hacker knows a specific person's phone number, they could even track the person's location.
The user said, "LG Uplus should not hide behind vague corporate jargon and should provide transparent explanations to customers," adding, "The Korean government should step in and hold LG Uplus accountable."
In response, LG Uplus said, "The demonstration video simply uses an IMSI catcher to obtain IMSI values and confirms that part of those values match mobile phone numbers; it does not show what risks one could be exposed to through the obtained IMSI values."
They added, "Obtaining phone IMSI values using an IMSI catcher is possible regardless of the carrier, and in the case of LG Uplus, it is only that phone numbers were used in the IMSI values. Since no other information was leaked, the relative risk is low."