NewDo you know which regulations apply to you? Find out in under 3 minutes. Our sincere gift:EU scoperKorea scoper
How can we help?

Message us on

KakaoTalkLINE

Response within 48 hours

Send us an email →
Blog
The Train's WiFi Knows Where You Are
Data Privacy

The Train's WiFi Knows Where You Are

July 6, 2026·Alex Holmquist, Panke IT Solutions LLC

Did you know your carrier can tell which exact train you are on right now? A cell tower only places you within a sector that can cover a whole station-to-station stretch of track. The onboard WiFi your phone joined the moment you sat down is bolted to that one train, so connecting to it draws a far tighter circle around you.

No password, no captive page — the carrier's secure network just let you on. It is a genuine convenience, and the sense that something is quietly happening in the background is correct.

The same auto-connect that saves you the login is what makes that precision possible.

Your SIM signs you in

On SKT and KT's secure onboard networks — T wifi zone_secure and KT's _secure SSID — your phone authenticates with your USIM using SIM-based EAP: the EAP-AKA family, EAP-AKA′ in current LTE and 5G deployments, not the older 2G EAP-SIM.[1] The identity it presents is derived from your SIM, so it names the subscriber behind the device, which a MAC address never does.

The access point only passes it along

The access point relays your SIM credential over RADIUS to the carrier's central AAA server, which validates it against the same subscriber database (HLR/HSS) the cellular core uses.[1] The carrier logs that session centrally — no attacker involved, just how the system is built.

A person riding a train car with a WiFi signal reading

Which train, plausibly which car

That session is logged against a specific onboard access point, and a train carries roughly one set per car — so it can narrow you toward a single car. Car-level is an inference. What is certain is that it fixes you to one specific train, finer than the cell tower already manages.

Not the LG U+ IMSI story

This is not the IMSI-exposure scenario from the April 2026 LG U+ controversy. Independent fact-checkers judged the real-world tracking risk limited: the IMSI is exposed only on a power cycle, and only confirms a device's presence within a single cell.[2] The durable point is quieter — the carrier's own routine session records.

What the law makes them keep

Those records are not optional. Under the enforcement decree of Korea's Protection of Communications Secrets Act, operators must retain internet access-origin (접속지) logs for at least three months and cell-site location data for at least twelve.[3]

Turning it off

You can turn this particular trade off: disable auto-join for the carrier's secure SSID in your WiFi settings, and your phone stops opening a fresh logged session each ride — though the cellular network still knows roughly which train you are on.

The same trade runs under most conveniences; we looked at a related one in which apps keep your photo's location.

When your phone connects to something on its own, do you know what identity it hands over to earn the convenience?

References

  1. NETMANIAS — IEEE 802.1X-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi networks
  2. Daum News — 팩트체크: LG유플러스 위치추적 위험은 얼마나 될까
  3. 국가법령정보센터 — 통신비밀보호법 시행령 제41조 (전기통신사업자의 협조의무 등)
Concerned about your attack surface?

If you'd like to know how your infrastructure scores in an attacker's scanning model, reach out at contact@pankeit.com for an external attack surface assessment.

Subscribe to our blog

Stay up to date with the latest security trends

No spam. Unsubscribe anytime.

HomeAboutPrivacyDMCA

©2026 Panke IT Solutions LLC

Austin, TX