Security
Learning from South Korean Telco Breaches
December 29, 2025
2:45 PM – 3:45 PM Add to calendar
2:45 PM – 3:45 PM Add to calendar
Fuse
2025 was a bad year for South Korean mobile network operators. All three operators (SK Telecom, KT, LG U+) were affected by breach in some part of their respective network: HSS of SK Telecom, femtocells of KT. Meanwhile, handling of the breach by each operators and post-mortem analysis of each breaches have stark differences. The technical details and implemented mitigations are often buried under the vague terms, and occasionally got lost in translation to English. In this talk, I will cover the technical aspects of SK Telecom and KT's breach, and how the operators are coping to the breach and what kind of measurements have been performed to secure their network.
This talk will cover the public information and experiments related to the South Korean telco breaches in 2025. This talk will cover SK Telecom's HSS breach (final results announced), KT's femtocell breach (investigation ongoing) and related operator billing fraud, and revisit Phrack report on KT and LG U+ breach. We also give a light on the detail regarding the implemented mitigation and diaster response of each operators.
SK Telecom's HSS breach is attributed to a variant of BPFDoor malware, resulting leakage of critical operator data related to subscriber authentication and accounting. They replaced the SIM cards of all 23 million subscribers, and implemented additional mechanism to track the possible cloning of the SIM card. We analyze the aftermath and how it will effectively protect against the said attack.
KT's femtocell and operator billing breach (investigation still ongoing as the time of writing) is attributed to the mismanagement of KT's femtocell, allowing an external attacker to mimick the behavior of KT's legitimate femtocell and use as a cellular interception device. This is a modern implementation of the remarkable research "Weaponizing Femtocells" back in 2012, and new cellular technologies like VoLTE have changed the possible attack vectors. We provide a possible theory on how the attack would be possible, based on the publicly available information and previous researches.
Finally, we also cover the characteristics of South Korean mobile market and how the media caused the inaccurate analysis and FUD (fear, uncertainty, and doubt). In particular, how SMS-based 2FA is tied to personal authentication and how everything is strongly bound to the personal identity. Early media reports could be attributed to the information "lost in translation" and inaccurate information in English-language articles when the details of the breach were not widely shared. We try to correct the information (also in the official incidence report) and showcase how not to report the breach in general.
Additional information
| Live Stream | https://streaming.media.ccc.de/39c3/fuse |
|---|---|
| Type | Talk |
| Language | English |
More sessions
| 12/27/25 |
The Great Firewall of China (GFW) is one of, if not arguably the most advanced Internet censorship systems in the world. Because repressive governments generally do not simply publish their censorship rules, the task of determining exactly what is and isn’t allowed falls upon the censorship measurement community, who run experiments over censored networks. In this talk, we’ll discuss two ways censorship measurement has evolved from passive experimentation to active attacks against the Great ...
|
| 12/27/25 |
Reports of GNSS interference in the Baltic Sea have become almost routine — airplanes losing GPS, ships drifting off course, and timing systems failing. But what happens when a group of engineers decides to build a navigation system that simply *doesn’t care* about the jammer? Since 2017, we’ve been developing **R-Mode**, a terrestrial navigation system that uses existing radio beacons and maritime infrastructure to provide independent positioning — no satellites needed. In this talk, ...
|
| 12/27/25 |
Zwei Jahre nach dem ersten KIM-Vortrag auf dem 37C3: Die gezeigten Schwachstellen wurden inzwischen geschlossen. Weiterhin können mit dem aktuellen KIM 1.5+ nun große Dateien bis 500 MB übertragen werden, das Signaturhandling wurde für die Nutzenden vereinfacht, indem die Detailinformationen der Signatur nicht mehr einsehbar sind. Aber ist das System jetzt sicher oder gibt es neue Probleme?
|
| 12/27/25 |
While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then ...
|
| 12/27/25 |
The Deutschlandticket was the flagship transport policy of the last government, rolled out in an impressive timescale for a political project; but this speed came with a cost - a system ripe for fraud at an industrial scale. German public transport is famously decentralised, with thousands of individual companies involved in ticketing and operations. Unifying all of these under one national, secure, system has proven a challenge too far for politicians. The end result: losses in the hundreds of ...
|
| 12/27/25 |
In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in ...
|
| 12/27/25 |
FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compromised FreeBSD jail by auditing the kernel’s attack surface, identifying dozens of vulnerabilities across exposed subsystems, and developing practical proof-of-concept exploits. We’ll share our findings, demo some real escapes, and discuss what they reveal about the challenges of maintaining robust OS isolation.
|
