EV Car Hacking, AI bypass KYC, LLM does not trust human, and Active Cyber Defense
Notable news for the week of April 6-12, 2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about EV Car Hacking, AI bypass KYC, LLM does not trust human, and Active Cyber Defense.
We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.
EV Car Hacking
Last week was BlackHat Asia Week in Singapore. At BlackHat Asia 2025, PCAutomotive researchers announced that Nissan's EV, the LEAF ZE1, was vulnerable to a remote cyber-attack that could hack the car. According to the presentation, there is a vulnerability in its Bluetooth function of the infotainment system which maek attacker enabled to use the infotainment system’s Bluetooth capabilities to infiltrate the car’s internal CAN network. The malicious attacker will establish C2 communication via mobile communications. Researchers had already reported the vulnerability to Nissan in August 2023, and it was approved as vulnerabilities three months later. Eight CVEs, from CVE-2025-32056 to CVE-2025-32063 were assigned for these vulnerabilities this year. Nissan did not comment on the details for security reasons, but said it would continue to address the cyber-attack.
AI generated passport can bypass KYC
It is widely known that Generative AI can generate any image. Someone may be tempted to try to create an image of a passport. Researchers in Poland used ChatGPT-4o to generate a passport image in just five minutes. This passport image is of course fake, but experts claim that this image might be able to bypass an automated Know Your Customer(KYC) systems since digital identity verification systems do not use chip verification, but rely solely on matching the image.
Experts warned that the proliferation of generative AI has increased the threat of mass identity theft, fraudulent credit applications and fake account creation, and call for stronger defense strategies, such as the use of NFC-based authentication and electronic identity (eID).
Source: Expert used ChatGPT-4o to create a replica of his passport in just 5 minutes bypassing KYC
LLM does not trust you, human
We humans have come to use LLMs such as ChatGPT extensively and think of LLMs as ‘useful guys’. However, we do not know what LLMs think of us. An interesting paper was posted in arXiv this month that challenges that question.
Measurement of LLM's Philosophises of Human Nature is a study applying psychological scale to investigate LLMs' perceptions of human. An psychological scale to LLM, named the Machine-based Philosophies of Human Nature Scale (M-PHNS), which is based on Wrightsman's Philosophies of Human Nature Scale (PHNS) had used to assesses multiple LLMs. The results of testing exhibit a systemic lack of trust in humans. Many LLMs showed various negative perception towards humans, such as being ‘untrustworthy’ and ‘selfish’. Furthermore there is a significant negative correlation between the model's intelligence level and its trust in humans. The paper proposes that the solution is to improve LLMs' perceptions using a new framework called “Mental Loop Learning”.
Source: Measurement of LLM's Philosophises of Human Nature
"Active Cyber Defense" Part 4
In a former TWIS articles, I wrote about the “Active Cyber Defense” that the Japanese government is trying to introduce, and there was progress again.
On 8 April the Active Cyber Defense bill was passed by a majority of the ruling and opposition parties in the plenary session of the House of Representatives and sent to the House of Councilors after amendments were made, such as increasing parliamentary involvement.
The ”Active Cyber Defense" bill would allow the Government to get agreements with operators of critical infrastructure and acquire communications information in order to monitor for the Cyber Attack threat. It will also allow the police and the Self Defense Forces, with the approval to access the attacker's servers and other systems and take steps to render them harmless, in order to prevent serious damage.
Source: https://www3.nhk.or.jp/news/html/20250408/k10014773221000.html (Japanese)
