'Security Controversy' LG Uplus, USIM Replacement Rate at 4%...Civic Groups Say "Response Insufficient"

Although LG Uplus has implemented USIM replacement and updates in response to security system concerns, complaints persist that these measures are insufficient, and the controversy has yet to subside. Civic groups argue that there needs to be not only clear notification of the risks associated with not replacing the USIM, but also compensation measures.

The LG Uplus Yongsan building in Yongsan-gu, Seoul. Photo by Yonhap News

원본보기 아이콘

On April 20, the civic group Consumer Sovereignty Citizens’ Union issued a statement saying, “We positively evaluate LG Uplus’s decision to replace USIM cards in relation to exposing consumers to security risks by operating the International Mobile Subscriber Identity (IMSI) based on phone numbers instead of randomizing them.” However, the group also expressed “serious concern and regret over the fact that this measure was not sufficiently communicated to all users and that the actual replacement rate remains at a very low level.”

The group further stated, “IMSI is a core piece of information that must be strictly managed to prevent personal identification even if it is exposed externally. While it is true that IMSI information alone may only pose limited risk for direct crimes such as smartphone hacking or micropayments, the potential for abuse, such as location tracking, still exists.”

They also emphasized that LG Uplus’s guidance regarding USIM replacement and updates has been insufficient. The Consumer Sovereignty Citizens’ Union said, “Guidance and support for MVNO consumers is severely lacking,” adding, “This demonstrates clear user discrimination, as there is a difference in the level of consumer protection for those using the same network.”

The civic group Seoul YMCA on April 17 called on LG Uplus to waive penalties for contract termination. The group stated, “Negligence in IMSI management constitutes a clear violation of Article 3 of the Information and Communications Network Act, which imposes a duty to provide safe services and protect users’ rights and interests.” They demanded, “LG Uplus must immediately notify all customers by text message of the IMSI management negligence and security risks, and the Ministry of Science and ICT should provide sufficient administrative guidance to exempt all LG Uplus customers from penalties for a reasonable period.”

Recently, on the global development collaboration community GitHub, a video was posted showing someone using an IMSI catcher-a device that acts as a fake base station-to collect LG Uplus IMSIs and call subscribers. The poster claimed that if the IMSI value and phone number are set identically, a hacker could collect the device’s IMSI. In response, an LG Uplus representative explained, “Obtaining a temporary identifier from a mobile phone using an IMSI catcher is possible regardless of the mobile carrier. In the case of LG Uplus, the phone number was used as the temporary identifier, but no other information was leaked, so the relative risk is low.”

It has come to light that LG Uplus has issued IMSIs containing subscribers’ actual phone numbers, and since April 13, has been conducting USIM updates and free replacements for all customers. As of the previous day, there have been 20,419 USIM updates and 23,232 USIM replacements, representing a cumulative processing rate of about 4.6%. An LG Uplus representative stated, “Through this free USIM replacement and update, security will be further strengthened.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.