Joint Public-Private Investigation Team Probing Whether Issue Is Limited to Specific Devices
It has been revealed that the National Intelligence Service (NIS) directly confirmed in September that SMS encryption was disabled on certain KT smartphones, and subsequently notified KT and the Ministry of Science and ICT, judging this to be a national-level cybersecurity risk.
According to materials submitted by the NIS to Assemblywoman Choi Minhee of the National Assembly's Science, ICT, Broadcasting and Communications Committee on the 13th, the NIS conducted a verification process after receiving a report that "SMS encryption can be disabled on some KT smartphone models." The verification found a vulnerability in which messages were not protected by end-to-end encryption during transmission, making them potentially exposed in plain text on intermediate servers.
Telecommunications companies apply end-to-end encryption throughout the entire sending and receiving process, in accordance with recommendations from the International Organization for Standardization (ISO) and the Telecommunications Technology Association (TTA) of Korea, to prevent third parties from viewing message content. However, the NIS detected circumstances where this protection mechanism was rendered ineffective on certain KT smartphones. The NIS did not disclose specific models, details of the incident, or whether any actual information leakage had occurred.
Following this notification, a joint public-private KT hacking investigation team is further examining whether this phenomenon is limited to specific devices or if it could also occur across KT's entire subscriber network. Previously, in a small payment hacking incident, it was confirmed that hackers had stolen SMS and ARS authentication information from victims.
Additionally, another document obtained by Assemblywoman Choi’s office from the Ministry of Science and ICT is also amplifying the controversy. According to this document, KT confirmed an infection with the "BPFDoor" malware in March of last year, but only identified it internally in April, at which point they requested a vaccine update from Taiwanese security company Trend Micro. Trend Micro published a report on BPFDoor attacks targeting Korean telecommunications companies, but did not disclose the company name at the time, citing a request from the client.
The key issue is whether KT's response was transparent. Assemblywoman Choi’s office criticized KT, stating, "In conjunction with the NIS notification regarding SMS encryption vulnerabilities, KT failed to disclose the BPFDoor infection to the public for an extended period and responded passively." They also reiterated their intention to hold KT’s management fully accountable.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
