"South Korea's Ministry of Science and ICT has found that local carrier Korea Telecom (KT) deployed thousands of badly secured femtocells, leading to an attack that enabled micropayments fraud and snooping on customers' communications - maybe for years. Femtocells are customer premises equipment which include a small mobile base station and use a wired broadband service for backhaul into a carrier's network. Carriers typically deploy them in areas where mobile network signals are weak to improve coverage in and around customers' homes."
"KT deployed thousands of the devices, all of which used the same certificate to authenticate to the carrier's network. According to analysis by Korean infosec academic and IEEE Fellow Yongdae Kim, the femtocells had no root password, stored keys in plaintext, and were remotely accessible because SSH was enabled. Attackers could therefore waltz in and retrieve the certificate, then use it to clone a femtocell that KT would treat as a legitimate device and happily connect to its network."
"Korea Telecom operates a micropayments service that allows its customers to pay for digital content using SMS messages. In September, the carrier investigated some of its customers' bills and detected the use of cloned femtocells in transactions valued at $169,000. The Ministry's report says 368 customers fell victim to the micropayment scam. Yongdae Kim wrote that the $169,000 haul "is absurdly small for this infrastructure sophistication." "Rational inference: la"
Korea Telecom deployed thousands of femtocells that used the same certificate to authenticate to its network. The devices lacked root passwords, stored keys in plaintext, and had SSH enabled, allowing remote access. Attackers could extract the certificate, clone femtocells, and connect to the carrier network as legitimate devices. Cloned femtocells caused customer devices to automatically connect, enabling interception of SMS messages and call metadata. The carrier's micropayments SMS service was abused in cloned-femtocell transactions totaling $169,000, affecting 368 customers. Attackers used one cloned femtocell for ten months across 2024 and 2025, and the shared certificate had a ten-year validity.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]