South Korea is the only country in the world that mandates the installation of government-approved security software—known as Korea Security Applications (KSAs)—for access to online financial and public services. But according to new research to be presented at USENIX Security 2025, this well-intentioned policy may be turning into a national cybersecurity liability.
A team of researchers from KAIST, Korea University, Sungkyunkwan University, and the cybersecurity firm Theori has uncovered systemic design flaws and critical implementation vulnerabilities in the very software meant to protect millions of South Koreans. In total, the team found 19 severe security issues across seven KSA tools, including keylogging, remote code execution, man-in-the-middle attacks, certificate exfiltration, and user tracking.
The research was motivated by real-world attacks: in several confirmed incidents, North Korean threat actors exploited vulnerabilities in these very security tools to compromise South Korean users. These events prompted the researchers to conduct a deeper investigation into the KSA ecosystem—and what they found was alarming.
“The fact that this software is mandated and installed across millions of endpoints makes it an especially attractive and efficient target,” said Professor Yongdae Kim of KAIST. “After seeing repeated evidence that attackers were exploiting these tools—not despite their security function, but because of it—we realized a systematic analysis was urgently needed.”
While some of the flaws discovered by the researchers have since been patched, many of the root causes remain unresolved. At issue is the architecture itself: rather than working with modern browser security models, KSA tools bypass them entirely. Designed to provide enhanced protections like encrypted keyboard input and certificate management, KSAs accomplish this by circumventing browser-level protections such as the Same-Origin Policy, sandboxing, and privilege separation—core tenets of modern web security.
Historically, this was achieved through now-defunct technologies like ActiveX. After ActiveX was phased out in 2015 due to widespread vulnerabilities, developers began distributing standalone executable files (.exe) that performed the same functions with many of the same risks—effectively reintroducing the problem in a different form.
In two proof-of-concept videos released by the research team, an attacker-controlled website is shown intercepting keystrokes—including passwords—and silently downloading malware by abusing KSA components. These behaviors would be blocked under standard browser security, but the KSAs, running with elevated privileges, make them possible.
A nationwide survey of 400 South Korean users found that 97.4% had installed KSA software, while nearly 60% said they didn’t understand what the programs did. Analysis of 48 real-world PCs revealed that users had an average of nine KSA programs installed, many of them outdated by several years.
“This isn’t just about bugs,” said Kim. “This is a philosophical misalignment between modern security standards and legacy design choices. When you hardcode mistrust of the web into your system architecture, you end up with software that behaves like spyware.”
The researchers argue that it’s time for South Korea to abandon its reliance on non-standard, government-mandated software and instead embrace web standards and modern browser-based security models. They warn that, if left unaddressed, the KSA ecosystem will continue to pose not only a risk to individual users but also a systemic threat to national cybersecurity.
The full paper, “Too Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea,” will be presented at the USENIX Security Symposium 2025, one of the premier venues for cybersecurity research. The project was supported by grants from the Institute of Information & Communications Technology Planning & Evaluation (IITP).
Paper: Too Much of a Good Thing (PDF)
Demo Video 1 (Keystroke Interception)
Demo Video 2 (Remote Code Execution):
