{"id":196563,"date":"2025-06-11T17:10:09","date_gmt":"2025-06-11T08:10:09","guid":{"rendered":"http:\/\/ee.presscat.kr\/?post_type=research-achieve&p=196563"},"modified":"2026-04-13T03:48:04","modified_gmt":"2026-04-12T18:48:04","slug":"in-south-korea-mandatory-financial-security-software-becomes-a-backdoor-and-a-target","status":"publish","type":"research-achieve","link":"http:\/\/ee.presscat.kr\/en\/research-achieve\/in-south-korea-mandatory-financial-security-software-becomes-a-backdoor-and-a-target\/","title":{"rendered":"In South Korea, Mandatory Financial Security Software Becomes a Backdoor \u2014 And a Target"},"content":{"rendered":"
\"\"
\u3008 Research Team Photo (Top row, from left) Professor Yongdae Kim, Professor Insu Yun, Professor Hyoungshick Kim, Professor Seungjoo Kim (Bottom row, from left) Researcher Taisic Yun, Researcher Yonghwa Lee, Researcher Suhwan Jeong\u3009<\/span><\/figcaption><\/figure>\n

 <\/p>\n

South Korea is the only country in the world that mandates the installation of government-approved security software\u2014known as Korea Security Applications (KSAs)\u2014for access to online financial and public services. But according to new research to be presented at USENIX Security 2025, this well-intentioned policy may be turning into a national cybersecurity liability.<\/span><\/p>\n

 <\/p>\n

A team of researchers from KAIST, Korea University, Sungkyunkwan University, and the cybersecurity firm Theori has uncovered systemic design flaws and critical implementation vulnerabilities in the very software meant to protect millions of South Koreans. In total, the team found 19 severe security issues across seven KSA tools, including keylogging, remote code execution, man-in-the-middle attacks, certificate exfiltration, and user tracking.<\/span><\/p>\n

 <\/p>\n

The research was motivated by real-world attacks: in several confirmed incidents, North Korean threat actors exploited vulnerabilities in these very security tools to compromise South Korean users. These events prompted the researchers to conduct a deeper investigation into the KSA ecosystem\u2014and what they found was alarming.<\/span><\/p>\n

 <\/p>\n

\u201cThe fact that this software is mandated and installed across millions of endpoints makes it an especially attractive and efficient target,\u201d said Professor Yongdae Kim of KAIST. \u201cAfter seeing repeated evidence that attackers were exploiting these tools\u2014not despite their security function, but because of it\u2014we realized a systematic analysis was urgently needed.\u201d<\/span><\/p>\n

 <\/p>\n

While some of the flaws discovered by the researchers have since been patched, many of the root causes remain unresolved. At issue is the architecture itself: rather than working with modern browser security models, KSA tools bypass them entirely. Designed to provide enhanced protections like encrypted keyboard input and certificate management, KSAs accomplish this by circumventing browser-level protections such as the Same-Origin Policy, sandboxing, and privilege separation\u2014core tenets of modern web security.<\/span><\/p>\n

 <\/p>\n

Historically, this was achieved through now-defunct technologies like ActiveX. After ActiveX was phased out in 2015 due to widespread vulnerabilities, developers began distributing standalone executable files (.exe) that performed the same functions with many of the same risks\u2014effectively reintroducing the problem in a different form.<\/span><\/p>\n

 <\/p>\n

In two proof-of-concept videos released by the research team, an attacker-controlled website is shown intercepting keystrokes\u2014including passwords\u2014and silently downloading malware by abusing KSA components. These behaviors would be blocked under standard browser security, but the KSAs, running with elevated privileges, make them possible.<\/span><\/p>\n

 <\/p>\n

A nationwide survey of 400 South Korean users found that 97.4% had installed KSA software, while nearly 60% said they didn\u2019t understand what the programs did. Analysis of 48 real-world PCs revealed that users had an average of nine KSA programs installed, many of them outdated by several years.<\/span><\/p>\n

 <\/p>\n

\u201cThis isn\u2019t just about bugs,\u201d said Kim. \u201cThis is a philosophical misalignment between modern security standards and legacy design choices. When you hardcode mistrust of the web into your system architecture, you end up with software that behaves like spyware.\u201d<\/span><\/p>\n

 <\/p>\n

The researchers argue that it\u2019s time for South Korea to abandon its reliance on non-standard, government-mandated software and instead embrace web standards and modern browser-based security models. They warn that, if left unaddressed, the KSA ecosystem will continue to pose not only a risk to individual users but also a systemic threat to national cybersecurity.<\/span><\/p>\n

 <\/p>\n

The full paper, \u201cToo Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea,\u201d will be presented at the USENIX Security Symposium 2025, one of the premier venues for cybersecurity research. The project was supported by grants from the Institute of Information & Communications Technology Planning & Evaluation (IITP).<\/span><\/p>\n

 <\/p>\n

Paper:\u00a0Too Much of a Good Thing (PDF)<\/a><\/span><\/p>\n

 <\/p>\n

Demo Video 1 (Keystroke Interception)<\/span><\/p>\n