← Back to articles

Korea Telecom Femtocell Security Breach Leads to Widespread Fraud and Snooping

January 6, 2026

secure femtocell

South Korea’s Ministry of Science and ICT has uncovered a significant security lapse involving Korea Telecom (KT), which deployed thousands of poorly secured femtocells. These vulnerabilities facilitated a long-term attack that enabled micropayments fraud and unauthorized access to customer communications, possibly spanning several years.

What Are Femtocells?

Femtocells are compact customer premises equipment that include a small mobile base station, connecting to the carrier’s network through wired broadband backhaul. Typically installed in areas with weak mobile signals, they help improve coverage in and around users’ homes.

The Security Flaws in KT’s Deployment

KT deployed thousands of femtocells that all used the same certificate for network authentication. Analysis by IEEE Fellow and infosec researcher Yongdae Kim revealed critical vulnerabilities:

  • No root passwords on the femtocells
  • Stored cryptographic keys in plaintext
  • Remote access enabled via SSH

Because of these flaws, attackers could easily access the devices, extract certificates, and clone femtocells, which would be accepted as legitimate by KT’s network. The shared certificate was valid for ten years, giving malicious actors a prolonged window—up to ten months, in some cases—to clone and deploy femtocells for malicious purposes.

How Attacks Were Carried Out

Cloned femtocells automatically connected to KT customer devices, exposing subscriber information, reading text messages, and logging call data. Attackers allegedly cloned up to 20 femtocells and operated them over a period extending into 2024 and 2025. Notably:

  • Attacks targeted the micropayments system, leading to fraudulent transactions totaling approximately $169,000
  • An estimated 368 customers were affected by micropayment scams

Potential for Broader Surveillance

Yongdae Kim noted that the relatively small financial losses might be a cover-up for larger-scale data collection efforts. The attack hints at potential surveillance activities utilizing the cloned femtocells, with access to customer mobile data possibly being exploited for espionage.

Ongoing Investigations and Legal Actions

Korean authorities are probing the incident, uncovering several cloned femtocells, including one linked to a device used on a military base in 2019 that went missing in 2020. The police arrested 13 individuals, including two Chinese nationals, and linked the operation to a large gang involved in illegal femtocell deployment.

There is speculation that past malware attacks on KT may have supplied the gang with necessary data. The investigation found evidence of "war-driving," with suspects attempting to extend their access at locations like Incheon Airport. The suspected mastermind remains at large, with an Interpol Red Notice issued against them.

Government Response and Broader Concerns

The Korean government has mandated KT to allow customers to terminate contracts without penalty. This incident underscores Korea’s ongoing struggles with cybersecurity, with recent high-profile breaches including:

  • Leaks of millions of customer records by Coupang and SK Telecom
  • Massive camera hijacking operations compromising citizens’ privacy
  • Continuous cyberattacks from North Korea

The security vulnerabilities exposed in KT’s femtocell deployment highlight the urgent need for more robust safeguards across South Korea’s digital infrastructure.

Note: Ongoing investigations and the evolving nature of this breach could reveal further details.