The Femtocell Fallout: How a Single “Master Key” Exposed Millions of KT Users
South Korea’s Ministry of Science and ICT has stated that Korea Telecom (KT) may have exposed its subscribers to risk for years due to poorly secured home mini base stations. According to the ministry, these vulnerabilities enabled attackers to clone devices, read SMS messages, identify who users were calling, and carry out fraudulent transactions through a micropayment service.
The issue centers on femtocells—compact base stations designed for homes or offices, typically deployed in areas with weak cellular coverage. In such setups, communication is routed over wired internet connections that link back to the operator’s core network. KT had deployed several thousand of these devices, and investigations revealed that all of them relied on the same authentication certificate to connect to the operator’s network.
The problem extended beyond the shared certificate. South Korean information security expert Yongdae Kim noted that the femtocells lacked a root password, stored cryptographic keys in plain text, and effectively exposed remote access because SSH was enabled. This meant that once an attacker gained access to any single device, they could extract the certificate and build a clone that KT’s network would recognize as legitimate.
Compounding the risk was the certificate’s validity period: it was issued for ten years. This gave anyone aware of the weaknesses ample time to quietly deploy counterfeit femtocells and exploit them. The ministry’s report states that one such clone operated for roughly ten months during 2024 and 2025.
The threat was further amplified by user-side automation. According to the report, subscribers’ phones could automatically connect to a fake femtocell as if it were a normal network access point. As a result, attackers were able to read victims’ text messages and see which numbers they were calling.
The issue came to light after KT detected anomalies in customer billing. The operator offers a micropayment service in which subscribers authorize digital content purchases via SMS. In September, the company reviewed transaction records and discovered charges totaling approximately $169,000 that had been conducted using cloned femtocells. The ministry reported that 368 customers fell victim to the fraud.
Yongdae Kim, however, highlighted a puzzling detail: given the complexity of the infrastructure involved, the financial gain appeared relatively modest. He suggested that micropayments may not have been the primary objective, but rather an incidental activity that exposed more serious operations, such as large-scale data collection and covert surveillance. This interpretation is indirectly supported by the fact that KT’s payment records only extend back to July 2024. As a result, the ministry explicitly describes its findings as incomplete and does not claim to determine how long the abuse may have continued.
Additional details emerged from the police investigation. Authorities reported that at least one counterfeit femtocell used a key originally installed on a device deployed at a military base in 2019 and reported missing in 2020. Investigators also uncovered multiple cloned devices and evidence pointing to an organized group. Thirteen suspects have been arrested, while the alleged ringleader remains at large and is the subject of an Interpol red notice.
Investigators do not rule out the possibility that some of the information required by the criminals originated from an earlier breach at KT. References have been made to the BPFDoor malware and a data leak that allegedly persisted for three years starting in 2022. Police also stated that members of the group engaged in “wardriving,” traveling with an illicit femtocell to identify new phones to connect to. One incident cited occurred at Incheon International Airport, where a suspect attempted to use a fake femtocell on the same day another individual, according to investigators, tried to smuggle compromised equipment out of the country to China.
In response to the investigation, the government ordered KT to allow customers to terminate their contracts without penalties. The episode fits into a broader atmosphere of growing concern over cybersecurity in South Korea. In recent months, the country has grappled with major data breaches at domestic companies, egregious invasions of privacy through hacked cameras, and persistent cyber threats linked to North Korea.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
