Korean telco failed at femtocell security, exposed customers to snooping and fraud

December 30, 2025 TH Author

South Korea’s Ministry of Science and ICT has found that local carrier Korea Telecom (KT) deployed thousands of badly secured femtocells, leading to an attack that enabled micropayments fraud and snooping on customers’ communications – maybe for years.

Femtocells are customer premises equipment which include a small mobile base station and use a wired broadband service for backhaul into a carrier’s network. Carriers typically deploy them in areas where mobile network signals are weak to improve coverage in and around customers’ homes.

KT deployed thousands of the devices, all of which used the same certificate to authenticate to the carrier’s network. According to analysis by Korean infosec academic and IEEE Fellow Yongdae Kim, the femtocells had no root password, stored keys in plaintext, and were remotely accessible because SSH was enabled.

Attackers could therefore waltz in and retrieve the certificate, then use it to clone a femtocell that KT would treat as a legitimate device and happily connect to its network. And because the cert was set to expire after ten years, miscreants who understood these vulnerabilities had a long period in which to clone a femtocell and use it for evil. The Ministry’s report suggests attackers used one fake femtocell for ten months across 2024 and 2025.

The report also found that KT customers’ devices would automatically connect to a cloned femtocell, and that attackers could read those customers’ text messages and learn what numbers they called.

Micro-clues

Korea Telecom operates a micropayments service that allows its customers to pay for digital content using SMS messages. In September, the carrier investigated some of its customers’ bills and detected the use of cloned femtocells in transactions valued at $169,000.

The Ministry’s report says 368 customers fell victim to the micropayment scam.

Yongdae Kim wrote that the $169,000 haul “is absurdly small for this infrastructure sophistication.”

“Rational inference: large-scale data collection was primary. Someone’s greed exposed it. Without micropayment fraud, undetectable,” he added, suggesting that miscreants running cloned femtocells may have used their ability to access customers’ phones for surveillance.

That theory appears plausible for two reasons. One is that KT only has data on payments dating back to July 2024. The Ministry’s report therefore states it is not a definitive account of femtocell-related problems.

The other is that Korean police today published the results of their investigation into the matter, which turned up one fake femtocell that used a key installed in a device used on a Korean military base in 2019, and which went missing in 2020.

The police investigation found multiple cloned femtocells, plus evidence of a large gang running them. Police arrested 13 alleged participants and haven’t ruled out that the gang got some of the information it needed to run its ops from a previous attack on Korea Telecom that saw BPFDoor malware leak info from the carrier for three years starting in 2022. The investigation also alleges the perps went “war-driving” while running an illegal femtocell, to find more phones they could access. One of the arrested men tried to use a fake femtocell at Incheon Airport, on the same day someone else tried to export the cracked hardware to China.

The alleged mastermind of the gang remains at large but is the subject of an Interpol Red Notice.

South Korea’s government has reacted by insisting that KT let customers quit their contracts without penalty.

South Korea is currently a hotspot for bad security. Local e-tailer Coupang, and SK Telecom , are both in trouble for leaking millions of customer records. The nation has also endured a massive camera hijacking operation that grossly invaded some citizens’ privacy, and faces constant attacks and provocation from North Korea. ®