On the 18th, SK Telecom, having detected a hacking attack, is conducting free replacements of subscriber identification devices (USIMs), causing a nationwide 'USIM crisis.' According to the first investigation results from the Ministry of Science and ICT's public-private joint investigation team, there has been no leakage of the unique device identification number (IMEI), but the anxiety among SK Telecom subscribers is not easily dissipating.
So, can a hacker create a cloned phone using the USIM information they have stolen, and could scenarios like unexpected financial fraud occur in reality? ChosunBiz has summarized questions regarding the 'SK Telecom USIM information hacking incident' with input from Professor Park Chun-sik of Ajou University’s Cybersecurity Department, Professor Lee Kyung-ho of Korea University’s Graduate School of Information Security, and Chairman Yeom Heung-yeol of the Korea Personal Information Protection Committee (Professor Emeritus of Information Security at Soonchunhyang University).
-What is a USIM (USIM·Subscriber Identification Module)?
It is a type of 'identification card' that stores information needed for the telecommunications company to identify customers. Based on the information stored in the USIM, telecommunications companies can charge fees. When purchasing a new smartphone or replacing it with another device, the USIM must be inserted before turning on the power for communication to be possible. An unregistered device cannot make calls or send text messages.
-What information is contained in a USIM?
Basically, it contains ▲ phone number ▲ USIM authentication key ▲ International Mobile Subscriber Identity (IMSI) ▲ USIM card identifier (ICCID) ▲ service subscription information. Depending on the company, ▲ unique device identification number (IMEI) may also be included. Telecommunications companies combine the IMSI and IMEI to authenticate subscribers and charge fees. Knowing the USIM information allows checking the subscriber's billing information or roaming history. However, the user’s financial account passwords or joint certificate passwords are not stored on the USIM.
-What information was leaked in the SK Telecom USIM information hacking incident?
According to government announcements, four types of information that could be used for USIM duplication, such as subscriber phone numbers and IMSI, along with 21 types of management information necessary for processing USIM information at SK Telecom, have been leaked. However, it has been confirmed that the information contained in the USIM, including the IMEI, was not leaked. SK Telecom manages the IMEI in other servers separate from the voice authentication equipment (HSS) that was hacked. The IMEI is a 15-digit number assigned by manufacturers when they produce devices and contains information such as the device manufacturer, model, and serial number.
It is suspected that the hacker who attacked SK Telecom compromised the entire server. The timing of the hacking and the number of affected subscribers will require further investigation to determine.
-Can a cloned phone be created if the USIM information is hacked?
Yes. This is the worst-case scenario that could result from the incident. It's also referred to as 'SIM swapping.' If USIM information is input into another USIM, the device that the original subscriber was using becomes inoperable, and the phone held by the hacker gets activated. Cases of SIM swapping have occurred both overseas and domestically.
With a cloned phone, various crimes can be committed. A hacker can impersonate the subscriber to commit voice phishing crimes. While the possibility of the cloned phone containing contacts from the subscriber’s address book is low, if all communications are routed through the cloned phone, gaining access to the address book is only a matter of time.
For the hacker to commit financial fraud using the cloned phone, they would also need the subscriber's financial application (app) PIN, joint certificate password, and other information. This means that just because a cloned phone has been created, it does not immediately imply that the subscriber's bank account will be emptied.
However, users should be cautious about smishing (SMS phishing) attacks that induce the installation of malicious apps. Combining cloned phone information with information obtained through smishing could lead to financial fraud. Currently, SK Telecom is blocking unauthorized authentication attempts (FDS) to preemptively detect and block attempts to access its network after illegally cloning USIMs.
-If the IMEI was not leaked, is there no concern for SIM swapping?
It doesn't completely eliminate the risk, but it is reduced if you are subscribed to a USIM protection service. The IMEI is the unique number assigned to each device.
If the hacker possesses the subscriber's phone number and ISMI along with other information, they could attempt to change the IMEI while trying to clone a phone. However, the likelihood of success is low because the IMEI entered in the HSS managed by the telecommunications company must match the IMEI of the device the hacker has.
The USIM protection service manages the IMSI and IMEI together, making it impossible to use a cloned USIM in a device with a different registered IMEI.
-Should I definitely change my USIM?
It is recommended to change it. If you cannot replace your USIM right away, you should subscribe to a USIM protection service. The USIM protection service is a system that fundamentally prevents USIM cloning attempts. To prevent secondary harm, attention is needed to ensure that malicious apps have not been installed. When downloading apps, it is recommended to obtain them from official app stores rather than from abnormal sites.
-There have been many personal data leakage incidents in the past; what are the characteristics of this incident?
Having your identity verification means stolen signifies a significant risk of secondary harm. While it is difficult to ascertain the hacker's attack motive, there is a possibility that financial gain through fraud is the primary objective. Compared to past incidents involving personal data theft from subscribers at KT and LG Uplus, the potential for the hacker to exploit this situation appears higher, necessitating responsive measures to prevent further damage.