South Korea Skates on Thin Ice with 5G-based IoT

By Heeu Millie Kim —

Smartphone on SK Telecom’s network. The greater bandwidth and connectivity of 5G networks also presents broader cybersecurity challenges for South Korea. Source: TheBetterDay’s flickr photostream, used under a creative commons license.

In 2013, an external malware linked to North Korea, “DarkSeoul,” crippled South Korean banks, media stations, and cellular networks by damaging more than 32,000 computers and servers. Among the targeted companies was LG Uplus, a South Korean tech giant leading the current Fifth Generation (5G) Internet of Things (IoT) revolution. LG Uplus successfully tested the first ever 5G-connected car in traffic a month before launching the world’s first commercialized 5G network with SK Telecom and KT Corporation on April 3. Yet, such rapid 5G-IoT development without parallel cybersecurity protections will only increase the risk of cyberattacks for South Korea, especially if external threats like “DarkSeoul” persist. 5G’s speed — 20 times faster and coverage 100 times greater than Long-Term Evolution (LTE) networks — will allow less time for security measures to prevent hackers from mining personal, financial, and government data from IoT devices.

According to the 2019 Sophos Threat Forecast Report, infiltrations for data theft and espionage specifically targeting IoT devices will only intensify with 5G. With reduced latency, IoT gadgets will become even more susceptible to mine cryptocurrency and Distributed Denial of Service (DDoS) attacks, which temporarily and maliciously disrupt Internet traffic. To put into perspective, enhanced connectivity means consumers download malware in mere seconds and hackers access a million IoT devices within 1 square kilometer from a single breach point. U.S. malware, VPNFilter and the Mirai botnet, were able to narrowly target IoT home devices in 2018 and 2016, respectively, because objects that bypass the central network become vulnerable targets for cyberattacks. North Korea’s July 2009 infiltration of 400,000 computers was also a DDoS attack, which similarly started from an attack on a subsidiary of the main target.

Given private and public cooperation on autonomous vehicles, driverless vehicles will be the next breakthrough in 5G-based IoT, and South Korea is in the driver’s seat. The Moon administration plans to invest $1.7 billion this year and increase its research and development budget for autonomous vehicle technology by 40 percent in 2020. Considering big investors like Samsung Electronics, total investments are expected to exceed $25 billion to operate 5G-buses by 2025. Given this close reality, road safety can only be guaranteed if loopholes endangering the security of 5G-IoT devices are addressed.

For South Korea’s autonomous cars, which utilize the 5G network for faster vehicle-to-everything communication, susceptibilities to external attacks present a critical challenge. Earlier this year, the 3rd Generation Partnership Project (3GPP) reported that a protocol meant to check attacks on 5G networks fails to protect against third-party interventions. With 5G-based cars, a disruption in real-time signals no longer endangers just personal data and financial accounts, but also the physical safety of passengers and neighboring cars. The safety of consumers can be directly exploited by hackers ambushing 5G’s mass data cloud, which stores high-precision navigational and locational data. 5G application to everyday objects radically changes the frequency and nature of conventional cybersecurity attacks.

Cybersecurity threats are not purely externally rooted. LG Uplus partners with one of China’s leading technology firms, Huawei Technologies, to implement 5G in South Korea. In 2014, the United States expressed concern that Huawei’s equipment could be used to spy on U.S.-ROK communications, but to no avail. Recently in June, U.S. Ambassador to South Korea Harry Harris told Cheong Wa Dae that the U.S. would withhold sensitive information if Korean companies continue to use Huawei equipment. He publicly urged LG Uplus to choose a supplier they can trust. In response, a Ministry of Science and ICT official stated, “It’s up to the telecoms to decide which company’s equipment to buy.” LG Uplus has already built 15,000 base stations using Huawei’s cheaper 4G and LTE network, adding to a 5G OpenLab Huawei individually operates in South Korea. The United Kingdom’s Huawei Cyber Security Evaluation Centre (HCSEC) 2019 Report published in March warns of Huawei’s ability to freely survey and exploit data transmitted over the network. Based on the report and potential to complicate alliance relations, Huawei’s 5G infrastructure procurement deals in South Korea should alarm both domestic firms and the government.

As of now, the South Korean government plans to ease regulations on 5G businesses in order to encourage investment in five 5G-based core services including autonomous vehicles. Instead of reinforcing protections, the National Assembly is reviewing revisions to the Law on the Protection and Use of Location Information to reduce barriers for entry for 5G and IoT convergence services that utilize location information. On April 3, Cheong Wa Dae’s National Security Office published the National Cyber Security Strategy report, which discussed cybercrimes, but not suggestions for revised security guidelines. This report followed the 2018 Defense Cyber Security Conference where South Korean cyber experts emphasized the lack of funding and cyber-defense measures.

With the rapid implementation of 5G and sluggish progress on bolstering cybersecurity mechanisms, the gap between South Korea’s technological advancement and cyber protections will only continue to grow. Loopholes and malware will always infest an evolving network. Going forward, the fundamental question is not how much investment the South Korean government and tech firms can secure for 5G, but how much security they can provide.

Ms. Heeu Millie Kim is a research intern with the Korea Chair at CSIS.


Leave a Reply

Your email address will not be published. Required fields are marked *