KAIST: Mandatory Security Software Can Be Exploited as a Hacking Vector

by Jeong Ilwoong

Published 02 Jun.2025 08:11(KST)

South Korea is the only country where it is mandatory to install financial security software. However, concerns have been raised that such financial security software could actually increase exposure to security threats. Experts suggest that, rather than forcing the installation of security programs, a "fundamental shift" is needed?one that follows safe rules and web standards set by websites and internet browsers.

(Top row from left) Professor Kim Yongdae, Professor Yoon Insu, Professor Kim Hyungsik, Professor Kim Seungjoo (Bottom row from left) Researcher Yoon Taesik, Researcher Lee Yonghwa, Researcher Jung Suhwan and other members of the joint research team. Provided by KAIST

KAIST announced on June 2 that a research team led by Professors Kim Yongdae and Yoon Insu from the Department of Electrical Engineering, together with Professor Kim Seungjoo's team from Korea University, Professor Kim Hyungsik's team from Sungkyunkwan University, and a research team from the security company Theori, has analyzed the "structural vulnerabilities of Korean financial security software."

The joint research team first focused on why Korean security software is a primary target in North Korean cyberattacks and conducted a root cause analysis. As a result, both structural design flaws and implementation vulnerabilities in domestic security software were revealed.

Most notably, the mandatory installation of security programs when using financial and public services in Korea serves as one of the main reasons these programs become prime targets of cyberattacks. Structural flaws and implementation vulnerabilities are being exploited as attack vectors.

For example, the joint research team analyzed seven major security programs (Korea Security Applications, hereafter KSA programs) used by leading domestic financial and public institutions and discovered a total of 19 security vulnerabilities. The main vulnerabilities included: ▲keystroke interception ▲man-in-the-middle (MITM) attacks ▲leakage of digital certificates ▲remote code execution (RCE) ▲user identification and tracking, among others.

Some vulnerabilities were patched (quickly fixed as an emergency measure) following reports from the joint research team, but fundamental design vulnerabilities that permeate the entire security ecosystem remain unresolved.

For the same reason, the joint research team pointed out that "the basic premise that security software should be a tool for user safety is not being upheld, and instead, it can be abused as a channel for attacks," emphasizing that "a fundamental paradigm shift in the security ecosystem is necessary."

For instance, Korean financial security software is designed to bypass the security architecture of web browsers in order to perform sensitive system functions.

In principle, browsers restrict external websites from accessing sensitive internal files and information. However, to maintain the so-called "security trio" of keyboard security, firewall, and certificate storage, KSA programs use external browser channels?such as loopback communication, external program calls, and non-standard APIs?to bypass these restrictions.

This approach was implemented through the security plugin ActiveX until 2015, but with the discontinuation of ActiveX support due to security vulnerabilities and technical limitations, fundamental improvements were expected.

In reality, however, the system was replaced by a similar structure using executable files (.exe), repeating the same problems as before. As a result, risks such as bypassing browser security boundaries or direct access to sensitive information still remain, according to the joint research team.

In particular, it was empirically confirmed that this design directly conflicts with modern web security mechanisms such as ▲Same-Origin Policy (SOP) ▲sandboxing ▲privilege isolation, and can be exploited as new attack vectors.

In an online survey conducted by the joint research team with 400 participants nationwide, 97.4% of respondents said they had installed KSA for financial services, and among them, 59.3% said they did not know what the program actually does.

When analyzing 48 actual PCs in use, an average of nine KSA programs were installed per person, with most using versions from before 2022, and some still using versions from 2019.

Kim Yongdae stated, "A structurally unsafe system can cause a critical security incident even with a small mistake," and added, "It is now necessary to shift from mandating the installation of non-standard security software to following web standards and browser security models."