South Korea’s online security dead end

Edit (2023-01-04): A Korean translation of this article is now available here, thanks to Woojin Kim. Edit (2023-01-07): Scheduled one more disclosure for February.

Last September I started investigating a South Korean application with unusually high user numbers. It took me a while to even figure out what it really did, there being close to zero documentation. I eventually realized that the application is riddled with security issues and, despite being advertised as a security application, makes the issue it is supposed to address far, far worse.

That’s how my journey to the South Korea’s very special security application landscape started. Since then I investigated several other applications and realized that the first one wasn’t an outlier. All of them caused severe security and privacy issues. Yet they were also installed on almost every computer in South Korea, being a prerequisite for using online banking or government websites in the country.

Message on www.citibank.co.kr stating: [IP Logger] program needs to be installed to ensure safe use of the service. Do you want to move to the installation page?

Before I start publishing articles on the individual applications’ shortcomings I wanted to post a summary of how (in my limited understanding) this situation came about and what exactly went wrong. From what I can tell, South Korea is in a really bad spot security-wise right now, and it needs to find a way out ASAP.

Historical overview

I’ve heard about South Korea being very “special” every now and then. I cannot claim to fully understand the topic, but there is a whole Wikipedia article on it. Apparently, the root issue were the US export restrictions on strong cryptography in the 90ies. This prompted South Korea to develop their own cryptographic solutions.

It seems that this started a fundamental distrust in security technologies coming out of the United States. So even when the export restrictions were lifted, South Korea continued adding their own security layers on top of SSL. All users had to install special applications just to use online banking.

Originally, these applications used Microsoft’s proprietary ActiveX technology. This only worked in Internet Explorer and severely hindered adoption of other browsers in South Korea.

Wikipedia lists several public movements aimed at improving this situation. Despite the pressure from these, it took until well after 2010 that things actually started changing.

Technologically, the solutions appear to have gone through several iterations. The first one were apparently NPAPI plugins, the closest thing to ActiveX in non-Microsoft browsers. I’ve also seen solutions based on browser extensions which are considerably simpler than NPAPI plugins.

Currently, the vendors appear to have realized that privileged access to the browser isn’t required. Instead, they merely need a communication channel from the websites to their application. So now all these applications run a local web server that websites communicate with.

Current situation

Nowadays, a typical Korean banking website will require five security applications to be installed before you are allowed to log in. One more application is suggested to manage this application zoo. And since different websites require different sets of applications, a typical computer in South Korea probably runs a dozen different applications from half a dozen different vendors. Just to be able to use the web.

Screenshot of a page titled “Install Security Program.” Below it the text “To access and use services on Busan Bank website, please install the security programs. If your installation is completed, please click Home Page to move to the main page. Click [Download Integrated Installation Program] to start automatica installation. In case of an error message, please click 'Save' and run the downloaded the application.” Below that text the page suggests downloading “Integrated installation (Veraport)” and five individual applications.

Each of these applications comes with a website SDK that the website needs to install, consisting of half a dozen JavaScript files. So your typical Korean banking website takes quite a while to load and initialize.

Interestingly, most of these applications don’t even provide centralized download servers. The distribution and updates have been completely offloaded to websites using these security applications.

And that is working exactly as well as you’d expect. Even looking at mere usability, I’ve noticed an application that a few years ago went through a technology change: from using a browser extension to using a local web server for communication. Some banks still distribute and expect the outdated application version, others work with the new one. For users it is impossible to tell why they have the application installed, yet their bank claims that they don’t. And they complain en masse.

Obviously, websites distributing applications also makes them a target. And properly securing so many download servers is unrealistic. So a few years ago the North Korean Lazarus group made the news by compromising some of these servers in order to distribute malware.

Software quality

I took a thorough look at the implementation of several security applications widely used in South Korea. While I’ll go into the specific issues in future blog posts, some tendencies appear universal across the entire landscape.

One would think, being responsible for the security of an entire nation would make vendors of such software be extra vigilant. That’s not what I saw however. In fact, security-wise these applications are often decades behind state of the art.

This starts with a simple fact: some of these applications are written in the C programming language, not even C++. It being a low-level programming language, these days it is typically used in code that has to work close to hardware such as device drivers. Here however it is used in large applications interacting with websites in complicated ways.

The manual approach to memory management in C is a typical source of exploitable memory safety issues like buffer overflows. Avoiding them in C requires utmost care. While such bugs weren’t the focus of my investigation, I couldn’t fail noticing that the developers of these applications didn’t demonstrate much experience avoiding memory safety issues.

Modern compilers provide a number of security mechanisms to help alleviate such issues. But these applications don’t use modern compilers, relying on Visual Studio versions released around 15 years ago instead.

And even the basic security mechanisms supported by these ancient compilers, such as Address Space Layout Randomization (ALSR) and Data Execution Prevention (DEP), tend to be disabled. There is really no good reason for that, these are pure security benefit “for free.”

To make matters even worse, the open source libraries bundled in these applications tend to see no updates whatsoever. So far the record holder was a library which turned out to be more than a decade old. There have been more than 50 releases of this library since then, with many improvements and security fixes. None of them made it into the application.

Security through obscurity

Given how South Korea’s security applications are all about cryptography, they are surprisingly bad at it. In most cases, cryptography is merely being used as obfuscation, only protecting against attackers who cannot reverse engineer the algorithm. Other issues I’ve seen were dropping encryption altogether if requested or algorithm parameters that have been deprecated decades ago.

In fact, vendors of these applications appear to view reverse engineering as the main issue. There is very little transparency and much security through obscurity here. It’s hard to tell whether this approach actually works to deter hackers or we merely don’t learn about the successful attacks.

Either way, I’ve seen multiple applications use software “protection” that decrypts the code at runtime to prevent reverse engineering. While I don’t have much experience with such mechanisms, I found that attaching to the process with x64dbg at runtime and using the Scylla plugin does just fine to get a decrypted exe/dll file that can be fed into a disassembler.

There are services that will immediately shut down the application if a debugger is attached. And one application even attempts to prevent browser’s Developer Tools from being used. Neither mechanism mitigates security risks, the goal here is rather maintaining obscurity.

Explanation attempts

I think the main issue here is that the users are not the customers. While this is supposedly all about their safety, the actual customers are the banks. The users don’t get to choose whether to install an application, it is required. And banks can delegate liability away.

If somebody loses money due to a hack, the bank cannot possibly be at fault. The bank did everything right after all. It made the user install all the important security applications. That seems to be the logic here.

This creates a market for bogus security applications. Most of them fail at properly addressing an issue. Way too often they even make matters considerably worse. And in the few cases where meaningful functionality is present, a modern web browser is perfectly capable of it without any third-party software.

But none of this matters as long as banks continue to buy these applications. And whether they do is only related to whether they see a value for themselves, not whether the application does anything meaningful.

The vendors know that of course. That’s why they haven’t been investing into the security of their applications for decades, it simply doesn’t matter. What matters are the features that banks will see. Ways for them to customize the application. Ways for them to collect even more of users’ data. Ways for them to spend money and to get (perceived) security back without any noteworthy effort.

Getting out of the dead end

Unfortunately, I know too little about the Korean society to tell how they would get out of this less than perfect situation. One thing I’m pretty certain about however: improving the existing security applications won’t do it.

Yes, I reported the security and privacy issues I found. I gave the vendors some time to protect the users before my disclosure. And I hope they will.

It isn’t really going to change the situation however. Because many of these issues are by design. And if they fix all of them, they will no longer have a product to sell.

In fact, the ideal outcome is dismantling South Korea’s special security landscape altogether. Not relying on any of these security applications will be a huge win for security. This likely won’t be possible without some definitive legislative action however. Ideally one that will give users a choice again and outlaw forcing installation of third-party applications just to use basic online services.

Schedule of future disclosures

When I report security issues vendors generally get 90 days to fix them. Once that deadline is over I disclose my research. If you are interested in reading the disclosures, you can subscribe to the RSS feed of this blog. Alternatively, you could also check my blog on the scheduled disclosure dates:

Comments

  • smilga

    Very interesting to read article, thank you!

  • Thomas

    This Sounds absolutely Horror to me! 😱 Are These Apps be available for Windows only or also for MacOS and Linux?

    Wladimir Palant

    While I’ve been investigating the Windows versions of the applications, they are available for other operating systems as well. In the screenshot you can see the applications being offered as Ubuntu and Fedora packages.

  • Gen Kanai

    I posted about this back in 2007 when I was with Mozilla and visited S. Korea. If S. Korea is still using this terrible stuff in 2023, when they have have well over a decade to meet global norms, it's their problem.

    https://archive.is/e2LD

    Wladimir Palant

    Yes, I remember your blog post, it was very informative. Too bad that after so much time the problem is still unsolved.

  • Tanaka san

    You'd likely find similar security and cultural issues in Japan as well.

  • Park

    Thank you for the article 🙏

    As you mentioned, those applications are old and poorly maintained. It is irony that those security applications are NOT secure. In reality, we found that those applications are possible path to harm security. For example, we found Windows buffer overflow occurred when we open some Windows setting menu in special conditions with some applications. I disclosed to the companies and they do not care about the problem. As result, my work place use VMs for accessing banking and government websites.

  • vlwkaos

    It really is about time they do something about it. Last time those banking websites were full of IE activeX stuff. As far as I know, since that caused tremendous discomfort for many people(not only a security hole, but also pain in the ass to use). There was a legislative action to ban activeX. Yet it was not enough to banish the 'security application' altogether, the bank websites now ship 'cross-platform' security applications which I feel dubious about the security it provides, just as you explained here. Even as a citizen, I do not know how to go about it. Hope your disclosures actually has an impact(alas a big one), or else SK is just risking everyone's data. Thanks for writing this.

  • ilkweon ban

    This is a good article. thank you

  • composite

    They never change that policy. you shouldn't wait for it. these security apps must installed due to south korea's law. also, these do not protect client's security.

    if you ask what's that, these apps are just ANTI-CHEAT apps for bank, government site like ordinary games.

  • JSB

    Kudos!

    Your blogpost really hit the spot! A deep understanding of the institutional background as well as the technical issues concerning the annoying, bogus "cyber security" apps required to use the Korean online banking system.

    Looking forward to seeing your future posting!

  • slave

    Are you an angel sent by the Lord? Thank you for pointing out the poor Internet environment in South Korea. The Father, the Son and the Holy Spirit will help you. Save South Korea, please.

  • Wel

    Thanks for highlighting this major issue in SK. Been struggling with it in the past 10 years as an IT professional here. Additionally to the problem created by those "security" software, we should add that in order to install them (sometime to use them), users needs admin rights on the computer. Many companies are giving user admin rights on their machine because of this, and this add another level of insecurity to their systems.

  • 캬루

    Korea doesn't move unless it has a serious impact. This will also fizzle out.

  • kimu

    they never changed. this is literally true

  • Shawn

    Thank you for your article👍

    That issue had been known in the South Korean IT security field. so our government agency tries to resolve issues like that. As the result, They officially run a bug bounty program. and also, already reported tons of vulnerabilities that rely on ActiveX. If you want to see more information, you can follow this link.

    Wladimir Palant

    Ah, yes. I’ve been reporting these issues via KrCERT. It’s… an interesting experience. :-)

    Largely futile unfortunately. I’m not sure these companies are interested in fixing these issues or capable of doing it. The first deadline was two days ago, the company didn’t fix anything but it also didn’t contact me about it. I hate doing this, but it seems that I’m publishing zero-day vulnerabilities next Monday – I don’t see any other way.

  • Random

    That's one of reasons why so many people have moved to somehow brand new internet banks from traditional platforms, Kakaobank, for an example. And many of young generations are not using financial services through desktop but mobile phones that you don't have to fight against those security applications.

  • Shadow

    I have stumbled across your blog entry because somebody in the Korean community abbreviated+trnaslated your points as a dark humor. As a Korean all of your observations are more than correct unfortunately. I'm afraid the installing "security" apps over all these years left Korean people far too vulnerable and left a habit of install programs brain-deadly if a website asks you too. As you mentioned this has become a real security risk with hackers compromising said program's distribution programs' download source, making phising webites to operate far too easily. This goes beyond computers, some apps request to download their APK files to install the "full version" of their apps on some Android apps(or worse, pretend to be the full version), and non-tech savvy people just blind slightes take their word for it due to the active-x and npapi downloading culture the Korean companies have created over the decades. It is now mostly non-required for important government websites to install plugins, but some minor government branch will still request you to download weird to understand apps (like a seperate print preview+printing program). I'm afraid the 90 days you gave those security companies can be just wasted, as a) they'll probably be aware of all the issues you have probably raised and b) because conservative Korean companies view security as a waste of money and they know this and just exploit them. More over, even large companies/banks in Korea try to cut corners in costs and outsource their cyber security personnel (a famous accident like https://www.bbc.com/news/world-asia-pacific-13263888.am. this or https://www.bitdefender.com/blog/hotforsecurity/south-korea-television-and-banks-hacked-fingers-pointed-at-north-korea this, which they just blaimed North Korea for a clear security breach done by outsourced personnels) Anyway loved your insight and I sincerely hope that those companies did their due-deligence

  • Secure

    It's amazing.

  • cc

    Financial Supervisory Service(FSS) made this situation.

    FSS asked financial companies that their customers MUST have some security controls which typical browsers do not provide, for example KrCert, anti-virus/anti-keylogger on the client side. FSS revised the regulation and those bogus applications are not mandatory these days, however, the companies learned that they can avoid their responsibilities with those boguses when a security incident occurs.

    FSS also asked companies to separate all of their environment from the internet even "dev environments". Only some of outdated libraries will be given to developers, and they had to develop applications on their own without the internet. Even security updates are NOT ALLOWED if it is downloaded from the internet because FSS thinks opening ports is not safe. This is why companies are still using C and old libraries.

  • a traveler

    A revolution is needed.

  • sloth

    Thank you for your impressive articles.

    Please understand that the content is delivered through a translator because of the lack of expertise and poor English. I also add that this is just my personal argument.

    I generally agree with the general point. Korean software focuses on 'customers'. This 'customer' is not the end consumer, but the 'enterprise' that provides the service. That's why cloud adoption is slow. Korea's IT system always requires customization.

    In that respect, the fact that cybersecurity products protect "banks" rather than "financial consumers" accurately sees the situation in Korea. Korea is a country that imposes very strong regulations on companies. Rather than "to prevent information leakage," companies find ways to "put the responsibility on consumers even if there is information leakage."

    Cybersecurity solutions in the financial sector are used to attribute information leakage to "consumer's responsibility, not mine." For example, if a consumer's smartphone or PC is infected with malicious code and a security accident occurs using financial services, the bank can avoid responsibility, saying, "You did something wrong."

    Not all cybersecurity in Korea is like this. Giant companies like Samsung Electronics use solutions from globally proven companies such as McAfee, CrowdStrike, Spunk, and Paloalto Networks. What's particularly problematic is the public and the finance. Surprisingly, Korea has been banned from using the cloud in the financial sector until recently. It has a particularly closed environment.

    Cybersecurity companies say they can't help it. They provide 'customized services' to specific customers. It's not an environment where you buy a good product on your own. That's why what you call a 'fake security solution market' is formed.

    I wonder if what you're looking at is based on a PC like Microsoft's Window or Apple's MacOS. Or are you looking at the mobile and judging it together.

    I think the Korean financial industry has almost abandoned the finance of the PC environment. We're developing everything mainly on mobile, so Android. In the Android environment, security applications are provided in the form of APIs, so you can use financial services with one financial app. It's in stark contrast to the PC environment.

    Of course, this is just my perception, and I don't know if it's accurate information. And in the case of iOS, I'm not sure because I'm an Android user. I have heard several times that it is very difficult to use financial services in MacOS or iOS in Korea.

    I look forward to your comments being meaningful. Thank you.

    Wladimir Palant

    I’ve only looked at the Windows applications so far, I hope that the mobile apps are indeed better.

  • harish pillay

    Some time in 2006 or 2097 I did report to the relevant authorities about the dependencies on ActiveX etc. I got a reply saying they will review or. But I did not follow up thinking, wrongly, that they'd act on it. Apparently not.

  • James Karet

    There's a program that detect and remove those "fake security programs". Some of us (because I am South Korean.) use them frequently because they cause performance issue. Glad that you'd noticed this.

    Side note: This security only works for Windows. If you are using Linux or MAC OS, You have to format to Windows. Plus, those security programs detect whether the system is running on VM or not. At least they expended to chrome extensions but most functions are exclusive to Windows.

  • seong nyang

    Thanks for the great article. I want to talk about the content of your article on my podcast. I will translate it into Korean and provide it to listeners. Is it okay to use it? (I sent details on your twitter, but feel free to reply here)

  • haebom

    I agree with some of the parts you wrote.

    In addition, there are two major problems with Korean online security.

    ## 1. Old Legacy

    As you said, this is a chronic problem. Korea has maintained this by using ActiveX and traditional libraries, although online financial services have come out faster than other countries.

    Of course, recently, Internet banks such as Toss and KakaoBank have appeared and are changing rapidly, but this is the second problem.

    ## 2. Limitations of outsourced development

    I worked for a Korean financial company until a few years ago. But they offer services that complicate both users and financial firms under the guise of security. I thought at first that this was a matter of policy.

    However, policy is only a trigger for these issues, and most importantly, continuous development is not carried out. And many problems were found that the responsibility was transferred to development through outsourced developers and maintenance was not properly performed.

    I think there is a difference in why Internet banks have grown so fast. They operate with their own development system and structure. It's not a way to build a castle on the sand, it's a whole new way.

    Of course, Internet banks are not necessarily the best, but they are definitely changing the Korean online security market with a positive impact.

    -

    Your article is raising the alarm on Korean online security. Thank you so much for writing this. I'll also look forward to the next episode. However, Korea is getting better. It's still uncomfortable, but the direction itself looks right.

    It sometimes takes a lot of time, power, and luck to change not only policy, but also corporate culture, technology, and security awareness. Please write such echoing comments often. Thank you.

  • Sang Geun HAN

    Excellent observations. You know very well the socio-political situations inside south Korea. I reported your writing (for general public in Korean) at https://contents.premium.naver.com/sghahn/knowledge/contents/230104195925160ze

  • KOTB

    Can't agree more with this article! It already felt wrong back in 2011 to install all those softs and get your security based on ActiveX... Best security is also based on its simplicity

  • S. Korean

    I'm South Korean. Thanks for your investigation. For a decade we struggled with this issue but there's no use because government and banks want to sustain this situation. Please save us from this f**king deadlock.

  • Aa

    That's because CyberSecurity in korea is usually focused on GRC not a technical part. And that's because most CyberSecurity Professionals who have technical speciality in korea are quite underpaid compared to developers. So if one knew enough programming, they usually change their career to developer.

  • ㅇㅇ

    Not surprising. It's not surprising because it's "Hell-Joseon".

  • Aa

    Ahhh also there's social prejudice that any kind of security work is sub to governmental work

  • korean

    In my opinion the problems are:

    • Policy Policies force banks to operate client-side security solutions.

    • Bank There are security people who don't know security. They select a solution based solely on the price of the solution, the availability of the solution, and so on.

    • Security Solution Corp According to the policy, the bank has to pay for the security solution, and the security solution company delivers the solution and that's it. They don't care about security. They are also not interested in the well-being of their employees. The key staff consists of juniors who have just learned computers. When they gain experience, they go to bigger companies due to lower pay. And then new juniors come in.

    The way to change this is to change the policy first. Trying to handle everything in security on the client-side is a very stupid policy.

    Separately, many competent security experts in Korea have pointed out this problem, but the stupid policy has never changed.

    This article you posted has another ripple effect in Korea, and I hope there will be a change in policy this time.

  • kor

    Please reveal everything.

    Korean oldies are very stupid.

  • ROK

    Korea only complies with the level of security that can only be legally circumvented. No matter how dedicatedly the security officers try to improve, they are blocked from the top. They will hold the security officers accountable this time and again, and always have.

  • R

    Great piece, useful content, extremely well written! Thank you.

  • JB

    # THANK YOU!

    As a privacy-minded South Korean, I absolutely hate South Korean internet banking with its "security" plug-ins (and don't even get me started on Naver and KakaoTalk...).

    I really hope your posts gain traction and that the current South Korean security "infrastructure" will burn to the ground, as unlikely as it is due to all the institutional and historical inertia.

    Thank you for doing god's work.