In the first of two blog articles on cyber security and tech in South Korea, I am looking at the pervasive use of technology in the country and how it is used differently to the UK.
South Korea has had a turbulent history. Many argue this turbulence still has not ended thanks to their somewhat unpredictable northern neighbour. It is this very neighbour that makes the headlines and who has driven South Korea to up its game in terms of cyber security.
South Korea is a highly developed and fascinating country which has enjoyed massive economic growth. Physical crime is very low and they are world leaders in internet connectivity, with the fastest internet speeds in the world. Their goal over the next few years is to become the world’s first “ultra-connected nation”. They claim over 95% of their population is now online and over 90% own a smartphone compared to the UK’s 81%. With this level of connectivity and one of the largest concentrations of intellectual property in the world it is not difficult to see why they would have a cyber-crime target painted on their back.
As with the rest of the world cyber-crime in South Korea is growing, especially phishing, though reported cases are lower than the UK. There has also been an increase in online defamation which is a specific offence in South Korea. The Government is working hard to protect both individuals and companies from cyber-attacks. It has created multiple law enforcement agencies including a Cyber Warfare Centre and a DDOS specific agency. It also takes the issue of data protection very seriously too. Their equivalent of the Data Protection Act has been heralded as one of the toughest and most innovative pieces of data protection legislation in the world. With all that said they too have had some high profile attacks including a power station and very recently a web hosting firm. Both of whom seem to have made some fundamental security oversights allowing the attacks to take place with relative ease.
Public Wi-Fi is absolutely everywhere-on every street, beach and even on hiking trails up mountains! In fact there are smartphone charging stations intermittently along their hiking trails too, just in case your seamless browsing experience gets rudely interrupted by a dead battery. Most of it is secured seemingly for use by mobile contract users, but there are a few that are not. When I connect to the few unsecured Wi-Fi networks I am immediately greeted with a pop up warning message. The warning translates loosely as:
“You are about to be connected directly to a non-secure connection that is not encrypted. You should refrain from using any important personal information or banking services. If you wish to continue click here”.
I think this is a great idea and it turns out that this is becoming a requirement in Korea. I connect anyway. I sit drinking my coffee in the burning Busan sun and take a look at who else is on this network. To my shock, hardly anyone. In the UK the prize of finding free unsecured Wi-Fi attracts citizens from far and wide, like a mothership calling them home. I then decide to connect to the secure Wi-Fi and I see more devices connected than I think even exist in the UK! Now the fact that people were steering clear of the unsecured Wi-Fi could of course be a coincidence or perhaps the Government’s idea to display this warning is actually working? The Korean Government has managed to get a great deal of cooperation with the ISPs (Internet Service Providers). This has helped them roll-out projects such as these warning messages as well as shifting some of the responsibility for blocking malicious traffic onto the ISPs. This, it is fair to say, is quite some achievement.
So what are they doing on this super fast Wi-Fi all day then? Well, as far as I can see a fair bit of online shopping in Starbucks, social media browsing and playing a variety of games involving Disney characters.
The Ultra-Connected Nation And The Internet Of Things
Korean’s love their technology and they adore the Internet of Things (IoT). Anything that could be made into an IoT device is! Washing machines (wall mounted of course), chairs, hairdryers and dog grooming brushes (yes you did read that correctly). I wander around the electronics stores in awe but I can’t help but feel that Koreans may be contributing, albeit accidentally, to be what their government believes to be their country’s biggest cyber threat- DDOS attacks.
All of these devices are online, talking to each other and providing Koreans with the smart home they always dreamed of. The problem is that these devices can be targeted by attackers and easily used to spy on their owners or attack sites as part of a botnet. Sure, these devices are novel and exciting but the problem is they are rarely secure of even securable. You are often heavily reliant on the manufacturer for security and updates. Furthermore, often these devices are actually collecting a large quantity of your data and habits, this has value and some manufacturers sell this on to the highest bidder. I leave the electronics store empty handed.
I am at a train station having just eaten a large quantity of fried Korean food and gazing incomprehensibly at a map. All of a sudden my phone makes a noise I’ve never heard it make. It is like a very loud siren. The type of noise that strikes fear into your heart and I get a quick flashback to a BBC news article showing Kim Jong Un smiling as a he fires another missile.
I look down at my phone which is now displaying “Emergency Alert”. Embarrassingly loud noise continues. What’s going on? But as I look up nobody is donning gas masks or running around in panic. I take a screenshot and, once the alarm ceases and with some concern I open up the Google Translate app:
“National Alert. Today will be a heatwave. Elderly people should refrain from outdoor activities. Make sure you drink enough water and wear sunblock. Thank you.”
Aside from the agreeably benevolent tone of the message, this got me thinking. By having this infrastructure in place and with so many citizens having smart phones the Government has the perfect opportunity to notify the public of a cyber-attack and how to protect themselves. I later discovered this is exactly what they did during the Wannacry incident (more on this in part 2). The downside of this is that if the system were to get hacked, alerts could go out to almost everyone telling them to change their banking password to “l0vingc@ts”. I can’t comment on how they protect this infrastructure but it does seem to be a novel and valuable way to get warnings and protection messaging out to the public fast.
QR Codes, Android Phones And Rose Tinted Glasses
Koreans have a risky love affair with QR codes, which are plastered all over the place. You use them in supermarkets, you use them in restaurants and you even scan the QR code on your coach ticket to allocate you a seat and then display where people are sitting. Why is this risky? Well, like malicious links you can get malicious QR codes that when scanned direct you to a dangerous website or application. QR codes have an element of surprise in that you can’t read them so you have no idea where they will send you until you scan the code. They do offer a degree of convenience, but convenience is usually inversely proportional to security.
Perhaps unsurprisingly Koreans like to buy Korean, especially cars and phones. With Samsung and LG being Korean companies, Android is king and iPhones are very much in the minority. This was clear whilst trying to purchase a gift iPhone case in the shape of a cartoon cat (very fashionable in Korea at the moment both for men and woman alike!). I did not succeed. I don’t want to get into the iOS vs Android debate here, however I will say that due to Apple’s “Walled Garden” approach it is considered *slightly* safer. So this could be another vulnerability in Korea and, as Apple wouldn’t let you install an application that was not hosted on the App store, malicious QR codes that download an app would likely be Android focused.
In the UK we have fallen in love with contactless payments. Well so have the Koreans. The difference? Well for the most part they use special top up cards that aren’t linked to your bank account, you simply top it up at designated machines. The main benefit of this is that if it gets stolen (admittedly unlikely as this is Korea) you have a clear limit on your possible losses. They are also not linked to your identity and there would be no way of identifying your bank account number, name or address from the card. I bought one and used it everyday for transportation, food shopping and restaurants. Although not strictly speaking cyber security I thought I would include it as I thought it was such a good idea from a personal security perspective.
In part 2 I look at company security and culture in Korea, why they might be particularly vulnerable to social engineering attacks as well as how Korea handled the Wannacry incident.