[Digital Today reporter Jin-ho Lee] With some raising security concerns over how LG Uplus operates subscriber identity numbers (IMSI), moves are taking shape to review security systems in related industries and make improvements on the institutional front.

According to the industry on March 20, LG Uplus has used a method that combines subscribers' phone numbers when assigning IMSI from 2011, the early days of LTE adoption, to the present. An IMSI is a unique number assigned to a SIM card to identify a subscriber on a mobile network and serves as a kind of login ID.

In particular, LG Uplus did not apply separate randomisation measures to the IMSI. In that case, if a third party who knows a specific user's phone number captures the IMSI value, it can identify where that person was located. It is effectively a structure that enables location tracking.

Choon-sik Park (박춘식), former professor of the Department of Cybersecurity at Ajou University, said that matching a phone number with an IMSI value makes it possible to check whether a user is within the range of a certain base station by linking it with the access records of that IMSI. He said that while it is not very detailed, it is possible to identify location down to the base-station level.

Views differ, however, on the actual level of threat. LG Uplus says there have been no cases of IMSI leaks so far and that an IMSI itself is only an ID, making it difficult to lead to harm such as opening cloned phones or stealing calls. It also said the IMSI system does not deviate from international standards.

The industry has voiced similar opinions. A telecommunications security expert said it would be difficult to use an IMSI alone to steal financial information or eavesdrop on calls, but added that the possibility of identifying users is a burdensome factor.

LG Uplus moved quickly to respond. It is reorganising its SIM security system and introducing randomisation in its IMSI design. From April 13 it will carry out SIM replacement and resets for all customers.

But users' concerns are not easily subsiding. Critics say trust in the overall telecommunications infrastructure is being shaken, combined with last year's SIM hacking incident at SK Telecom and KT's unauthorised small-amount payment incident.

Some say the case could raise security awareness across the telecommunications industry and become an opportunity for structural improvements. Following SKT and KT's SIM replacements for all customers last year, LG Uplus is also carrying out SIM replacement, meaning most smartphone users are effectively subject to SIM replacement. As large-scale SIM replacements take place, expectations are also being sensed that they could address security vulnerabilities in older SIM cards.

The political sphere is also speeding up efforts to shore up systems. Min-hee Choi (최민희), a lawmaker from the Democratic Party and chair of the National Assembly's Science, ICT, Broadcasting and Communications Committee, said she will soon propose an amendment to the Telecommunications Business Act to prevent customers' phone numbers from being directly linked to IMSI. The aim is to legislate minimum protection standards in light of repeated telecom security disputes.

More fundamental security strengthening is also being pursued in next-generation networks. In a 5G standalone (SA) environment, SUCI (Subscriber Concealed Identifier) technology is applied to transmit subscriber identification information in encrypted form. It processes the IMSI in encrypted form without exposing it as is. With the Ministry of Science and ICT mandating the build-out of 5G SA by year-end, a stronger security system is expected to take root.

Park said the case should be backed by more preemptive and sustained efforts to invest in security, and stressed that telecom carriers must constantly work to improve security systems and supplement their systems.