[Desk Column] Why LG Uplus’s Decision to Replace All SIM Cards Deserve…
An image of a smartphone SIM card / Generated by GEMINI
telecommunications operator LG Uplus has decided to replace the SIM cards of all 11 million subscribers free of charge. There was no incident, nor was there any order from authorities. The company made the decision proactively after discovering potential vulnerabilities through its own internal inspection.
The trigger for the SIM replacement decision lies in the controversy surrounding the IMSI structure. IMSI is a 15-digit subscriber identification number embedded in the SIM card. It is a core value used to recognize devices on mobile communication networks, and the general industry practice is to design it in a randomized format so that it is difficult to link to a specific individual even if exposed externally. However, it became known that LG Uplus has used a method that includes part of the actual phone number in this value since the early commercialization of 4G LTE, prompting criticism in some quarters.
Nevertheless, LG Uplus’s method does not violate international standards. In the early stages of LTE adoption, international regulations regarding IMSI design were not clearly established. LG Uplus applied the IMSI design approach it had used since the 2G era to LTE and 5G as well, and according to prevailing standards, this was not unusual. For this reason, there is also a clear view in some circles that criticism related to IMSI is close to simple corporate fault-finding.
However, rather than engaging in debates over right and wrong regarding the IMSI structure, LG Uplus took a different step back. It first examined what risks this structure could entail in the current security environment. Hacking techniques are becoming increasingly sophisticated, and cases of misuse of wireless signal collection devices such as IMSI catchers have already been confirmed overseas. Even if an IMSI value alone does not immediately enable hacking, it is difficult to completely rule out concerns that, when combined with other information, it could lead to the creation of cloned phones or targeted tracking.
The decision to replace SIM cards stemmed from this assessment. LG Uplus has already been working since last year on designing and developing a new IMSI system. This involved changing the structure itself by randomizing the subscriber code portion. In other words, the company did not rush to respond after the controversy emerged, but had already recognized the potential issue and begun moving beforehand. In the second half of this year, it also plans to introduce technology that can convert IMSI values to a randomized basis through software updates alone, without physically replacing SIM cards.
The decision to replace all SIM cards for 11 million subscribers free of charge is by no means a light one. It is not merely a matter of cost. Individually notifying 11 million subscribers, securing SIM card supplies, and supporting the replacement process would entail a considerable operational burden. Even so, the company chose to build a defensive line before any actual damage occurred, rather than writing apology statements after the fact.
Security experts share a similar view. In a situation where hacking methods are becoming more advanced, responding after an incident has already happened is always too late. Although free SIM replacement may appear to be an excessive response, it is being evaluated as the most proactive form of preemptive action a telecommunications operator can take to protect its subscribers.
Debate over the IMSI structure may continue. Claims that there was no regulatory violation and perspectives pointing to structural weaknesses are not entirely wrong. However, regardless of how that debate ultimately concludes, the direction chosen by LG Uplus deserves recognition before criticism. Preventing an incident before it occurs — and not passing the cost on to subscribers — can be said to demonstrate that the company has properly borne the weight of responsibility required of a telecommunications operator.
