South Korea was definitely not on the top of the priority list when a German based cybersecurity researcher first started his career back in 2003 as a software developer. Although he had encountered the country’s unique approach to online security from a German-born Korean friend in the early days of his career, his interest did not go beyond the online community where people occasionally had discussions about South Korea, the “last Internet Explorer stronghold” in the world.
But nearly twenty years later, just a few months after Microsoft officially shut down Internet Explorer, Wladimir Palant has come into the spotlight among none other than South Koreans. His series of publications, concerning South Korea’s online security applications, received an enormous amount of attention not just from cybersecurity experts but also from local media outlets who delivered the stories to ordinary South Koreans who have little to no background knowledge of online security.
The Readable reached out to Palant through his blog posts and conducted written interviews with him twice from January 11 to 20 to learn more about the story behind his disclosure.
◇ A journey started with a single browser extension
“This project really was started by an accident,” the cybersecurity researcher explained in an email.
As a person who started his career as a software developer and built his expertise in browser extensions, he frequently inspects them to find out if there are security issues. A browser extension is a piece of software that enables users to add features and functions to a browser such as Google Chrome. It came to him as a surprise to stumble upon an unfamiliar browser extension with more than 10 million users in the Chrome Web Store.
Once he looked into it, he realized the need for an investigation regarding an application that the browser extension communicates with. He downloaded the application and started analyzing it. This particular keyboard security application is required to be installed, particularly by those who use online banking services in South Korea. It took some time until he discovered multiple security vulnerabilities. Curiosity led him to move forward to analyze other security applications.
In total, the cybersecurity researcher fully investigated three online security applications which are frequently used in South Korea and is now on his way to finishing analysis of a fourth one. He found security flaws in all three of the first applications he looked into. The Readable requested this expert to classify the security flaws on a scale of 1 to 10 to find out the severity of the vulnerabilities that he had discovered. 1 meant not causing any security problems, and 10 meant causing devastating problems that need to be addressed immediately. Palant stated that there were vulnerabilities marked as “10.”
What would happen if the worst-case scenario becomes reality, when the vulnerability lands in the hands of a wrong person? “So far the worst vulnerability could result in drive-by downloads,” explained the expert. “This means that visiting any website could result in your computer being infected with malware, without you doing or noticing anything.”
◇ The question that we need to ask
Palant reported these security issues to South Korea’s cybersecurity agency, the Korea Internet & Security Agency (KISA), on October 4, October 21, and December 3 of last year respectively. He also wrote about his journey on his blog and the security flaws he had found in the first and second applications with the consideration of 90 days disclosure, a deadline date commonly adopted in the cybersecurity industry to allow firms to fix such problems before public disclosure. In an email on January 17, he stated that none of the vulnerabilities have been fixed so far.
The vulnerability analysis team at the KISA told The Readable in an email that they had assessed the security issues the cybersecurity researcher had notified them of and concluded that they were not high-risk vulnerabilities that could result in critical damage. When a vulnerability is reported, the cybersecurity agency evaluates it according to its internal guidelines. The guidelines include specific standards, such as the degree of dissemination of software, the possibilities of exploitation, and the severity of potential damage by the disclosed vulnerabilities. The KISA said that they could not reveal in detail about the reason behind their internal decision.
The Financial Security Institute (FSI), which works to build a safe environment for consumers and financial institutions, shared their decision with The Readable. They investigated the security flaws of the first application that the cybersecurity researcher had disclosed in his blog post. “We assume that there is a low possibility of these vulnerabilities to be actually exploited by attackers,” said an official of FSI who works closely with this matter. “Regardless of its effect, it is still a vulnerability which needs to be dealt with.”
If a hacker abused a security flaw and turned it into an exploit that lets the attacker gain full control of victims’ computers with a single click, this could be classified as an extremely severe vulnerability. However, in this case, the official explained there needs to be various preconditions, such as luring victims through sophisticatedly designed phishing websites. In addition, even if the exploit is successfully deployed, it is unlikeable that this could lead to disastrous harm.
RaonSecure, the company who is behind the development of the first application, told The Readable that they have fixed the problems and will distribute the updated version to their clients within January. “In our evaluation, it was a low-level security flaw,” a spokesperson of the company said. “Major financial institutions have been using our products for a long time without experiencing any problems. If there was a problem, then it would have already caused a serious issue.”
The cybersecurity researcher expressed disagreement with the conclusions of South Korean authorities and the cybersecurity company, saying that it “might not be ‘severe’ in terms of danger to the user, but it is certainly very severe with respect to the value” that the application provides, which is security. Moreover, he urged that they take into account the unique situation this application is in right now. Receiving such an enormous amount of attention could attract unforeseen curiosity from those who have the ability to exploit the vulnerabilities and also from those who have never been interested in South Korea’s online security applications before. “It is only a matter of time until some criminals discover the applications for themselves and start abusing it,” warned Palant.
Along with the security flaws, there are questions that needs to be asked. Are these security applications efficiently protecting South Koreans from hackers? Is mandatorily installing additional applications the best way to defend South Koreans’ online activities? Could this approach possibly train users to install applications without any caution when a website asks them to, exposing users to potential threats? The expert showed his profound concerns with all the questions above.
◇ Software always has security vulnerabilities
Although it was unusual for the cybersecurity expert to disclose his findings to the authorities, it was not the first time he reported security flaws to cybersecurity companies. Companies have reacted in different ways. In some cases, they resolved the situation in less than a month. However, in a more typical cases, he received no response whatsoever. After he warned them about the 90 day deadline, companies broke their silence and resolved the issue a day before the deadline.
“Software always has security vulnerabilities. There is nothing special about that,” the expert stated. “When a vulnerability is reported, it is a chance for the company to learn, train employees, review other code, establish better practices, ideally find ways to avoid the entire class of vulnerabilities in the future.” Moreover, he wished that more firms would actually take the opportunity to change, but most view this largely as a public relations issue and not as a technical issue.
“We cannot expect companies to behave ethically and to build secure software out of their good will,” asserted Palant. He emphasized the importance of critical applications being reviewed by independent researchers for security flaws. The work is similar to Google’s Project Zero, where a team of Google’s security researchers investigate popular software and use the results to patch the security flaws. “It is important that their findings have consequences: vendors need to improve their security or face monetary losses,” said the cybersecurity researcher.
Correction: An article on Jan. 26 misstated the nationality of the person that informed Wladimir Palant of South Korean banking system. The person was a German-born Korean, not a South Korean.
