Latest news with #RafePilling
Business Mayor
15-05-2025
- Automotive
- Business Mayor
‘Source of data': are electric cars vulnerable to cyber spies and hackers?
Mobile phones and desktop computers are longstanding targets for cyber spies – but how vulnerable are electric cars? On Monday the i newspaper claimed that British defence firms working for the UK government have warned staff against connecting or pairing their phones with Chinese-made electric cars, due to fears that Beijing could extract sensitive data from the devices. Here we look at whether there are problems with electric cars and security. Security experts spoken to by the Guardian say electric cars – the most advanced road vehicles on the market – could be exploited by hackers. Rafe Pilling, the director of threat intelligence at the cybersecurity firm Secureworks, says electric cars have myriad ways of generating data that is of interest to hostile states, given the microphones, cameras and wifi connectivity they contain. 'There are lots of opportunities to collect data and therefore lots of opportunities to compromise a vehicle like that,' he says. He adds that wifi or cellular connectivity, which allows a manufacturer to update a car's operating software – known as an 'over the air' capability – could allow data to be exfiltrated. 'A modern vehicle that has over the air update capabilities – which is crawling with computers, various radios, Lidar sensors and external cameras – could well be repurposed as a surveillance platform,' he says. A mobile phone connected to the car, whether via a charging cable or Bluetooth, is another source of data, he says. Experts say car owners in sensitive industries or in political and government positions should exercise discretion. 'If you are an engineer who is working on a sixth-generation fighter jet and you have a work phone that you are connecting to your personal vehicle, you need to be aware that by connecting these devices you could be allowing access to data on your mobile,' says Joseph Jarnecki, a research fellow at the Royal United Services Institute thinktank. Nate Drier, a tech lead at the cybersecurity firm Sophos, says concerned drivers or passengers can click the 'don't trust' option when they connect their phone charger with the car – but they then lose out on all the benefits that ensue, from using music streaming apps to messaging. 'I would assume most people are allowing that connection to happen so they can have all the benefits of the features on that phone,' he says. Pilling adds that hire car users should take note as well. 'In general, it's a bad idea to sync your phone or device with a vehicle that isn't yours, as you can leave copies of contacts and other sensitive data in the car entertainment and navigation system and most people forget to wipe this after they leave a hire car,' he says. China is a major manufacturer of electric vehicles (EVs) through brands including BYD and XPeng. This, allied with the Chinese state's use of cyber-espionage, makes those cars a source of potential concern. China's National Intelligence Law of 2017, for instance, states that all organisations and citizens shall 'support, assist and cooperate' with national intelligence efforts. 'Chinese law obliges Chinese companies to cooperate with state security, so one has to assume that if a car is capable of spying on you it may be misused to do so,' says Prof Alan Woodward, a computer security expert at the University of Surrey. There is 'no evidence' in the public domain to point to use of Chinese vehicles in such a way, he adds. However, experts also wonder if China would risk causing serious damage to a key export sector such as EVs by making it a vector for intelligence gathering. Mobile phones, smart watches and other wearable devices are more likely targets for espionage. A government spokesperson would not comment on specific security measures, but said: 'Protecting national security is our top priority and we have strict procedures in place to ensure that government sites and information are appropriately protected.' A more detailed statement was made last month by the defence minister Lord Coaker, who said the Ministry of Defence (MoD) was 'working with other government departments to understand and mitigate any potential threats to national security from vehicles'. He said the work related to all types of vehicle and 'not just those manufactured in China'. Referring to an i report that the MoD had banned EVs with Chinese components from sensitive sites and military training bases, he said there were 'no centrally mandated policy restrictions on the movement of Chinese manufactured vehicles'. However, he said individual defence organisations – a reference to public and private entities – may have stricter EV requirements on certain sites. BYD has been contacted for comment. XPeng said it was 'committed to continuously adhering to and complying with the applicable UK and EU privacy laws and regulations'. The SMMT, the trade body for UK carmakers and traders, told the i: 'All manufacturers with cars on sale in the UK must adhere to relevant regulations on data privacy, and EVs are no different. 'The industry is committed to upholding a high level of customer data protection, including proportionate use of data, including apps and paired mobile phones, which can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists.' READ SOURCE
Business Mayor
06-05-2025
- Business
- Business Mayor
Beware hackers imitating IT help desks, UK cyber agency tells retailers
Unlock the Editor's Digest for free Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter. The UK's cyber security agency has warned retailers to be alert to cyber criminals impersonating IT help desks, after a spate of recent attacks on major high street names. The advice comes after Marks and Spencer, Co-op and Harrods were targeted by hackers. The National Cyber Security Centre, part of GCHQ, has issued guidance to companies urging them to pay particular attention to so-called social engineering tactics, whereby criminals target IT help desks to change passwords and reset authentication processes in order to gain access to their systems. Such tactics include impersonating an employee and tricking an IT help desk into resetting their password. Co-op admitted on Friday that cyber criminals were able to access and extract names and contact details for a significant number of customers after initially saying it had fended off the attack. The mutual has said there were some shortages in its stores as it works 'around the clock to reduce disruption and resume deliveries'. Separately, M&S has also been working to fill empty shelves after last week it admitted it had 'pockets of limited availability'. The company first disclosed a fortnight ago that its systems had been compromised, and has been unable to accept online orders for more than a week while it tries to restore its operations. Rafe Pilling, threat intelligence director at Secureworks, told the Financial Times on Tuesday that NCSC's guidance suggests that social engineering tactics 'may have played a role in the intrusion' and pointed to 'account takeover playing a role'. Read More Gold prices sit close to record highs; more rate cues awaited Recommended He previously said these types of criminals were good at manipulating employees and talking them into revealing credentials or resetting passwords. Pilling added on Tuesday: 'If the compromise had occurred by malware being delivered to the victim and then used to access their network, the [NCSC] advice would be different.' The NCSC said that while it had 'insights' into the several attacks on retailers, 'we are not yet in a position to say if they are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all'. The agency also did not confirm reports that social engineering was behind some of the attacks.
The Guardian
29-04-2025
- Automotive
- The Guardian
‘Source of data': are electric cars vulnerable to cyber spies and hackers?
Mobile phones and desktop computers are longstanding targets for cyber spies – but how vulnerable are electric cars? On Monday the i newspaper claimed that British defence firms working for the UK government have warned staff against connecting or pairing their phones with Chinese-made electric cars, due to fears that Beijing could extract sensitive data from the devices. Here we look at whether there are problems with electric cars and security. Security experts spoken to by the Guardian say electric cars – the most advanced road vehicles on the market – could be exploited by hackers. Rafe Pilling, the director of threat intelligence at the cybersecurity firm Secureworks, says electric cars have myriad ways of generating data that is of interest to hostile states, given the microphones, cameras and wifi connectivity they contain. 'There are lots of opportunities to collect data and therefore lots of opportunities to compromise a vehicle like that,' he says. He adds that wifi or cellular connectivity, which allows a manufacturer to update a car's operating software – known as an 'over the air' capability – could allow data to be exfiltrated. 'A modern vehicle that has over the air update capabilities – which is crawling with computers, various radios, Lidar sensors and external cameras – could well be repurposed as a surveillance platform,' he says. A mobile phone connected to the car, whether via a charging cable or Bluetooth, is another source of data, he says. Experts say car owners in sensitive industries or in political and government positions should exercise discretion. 'If you are an engineer who is working on a sixth-generation fighter jet and you have a work phone that you are connecting to your personal vehicle, you need to be aware that by connecting these devices you could be allowing access to data on your mobile,' says Joseph Jarnecki, a research fellow at the Royal United Services Institute thinktank. Nate Drier, a tech lead at the cybersecurity firm Sophos, says concerned drivers or passengers can click the 'don't trust' option when they connect their phone charger with the car – but they then lose out on all the benefits that ensue, from using music streaming apps to messaging. 'I would assume most people are allowing that connection to happen so they can have all the benefits of the features on that phone,' he says. Pilling adds that hire car users should take note as well. 'In general, it's a bad idea to sync your phone or device with a vehicle that isn't yours, as you can leave copies of contacts and other sensitive data in the car entertainment and navigation system and most people forget to wipe this after they leave a hire car,' he says. China is a major manufacturer of electric vehicles (EVs) through brands including BYD and XPeng. This, allied with the Chinese state's use of cyber-espionage, makes those cars a source of potential concern. China's National Intelligence Law of 2017, for instance, states that all organisations and citizens shall 'support, assist and cooperate' with national intelligence efforts. 'Chinese law obliges Chinese companies to cooperate with state security, so one has to assume that if a car is capable of spying on you it may be misused to do so,' says Prof Alan Woodward, a computer security expert at the University of Surrey. There is 'no evidence' in the public domain to point to use of Chinese vehicles in such a way, he adds. However, experts also wonder if China would risk causing serious damage to a key export sector such as EVs by making it a vector for intelligence gathering. Mobile phones, smart watches and other wearable devices are more likely targets for espionage. A government spokesperson would not comment on specific security measures, but said: 'Protecting national security is our top priority and we have strict procedures in place to ensure that government sites and information are appropriately protected.' A more detailed statement was made last month by the defence minister Lord Coaker, who said the Ministry of Defence (MoD) was 'working with other government departments to understand and mitigate any potential threats to national security from vehicles'. He said the work related to all types of vehicle and 'not just those manufactured in China'. Referring to an i report that the MoD had banned EVs with Chinese components from sensitive sites and military training bases, he said there were 'no centrally mandated policy restrictions on the movement of Chinese manufactured vehicles'. However, he said individual defence organisations – a reference to public and private entities – may have stricter EV requirements on certain sites. BYD has been contacted for comment. XPeng said it was 'committed to continuously adhering to and complying with the applicable UK and EU privacy laws and regulations'. The SMMT, the trade body for UK carmakers and traders, told the i: 'All manufacturers with cars on sale in the UK must adhere to relevant regulations on data privacy, and EVs are no different. 'The industry is committed to upholding a high level of customer data protection, including proportionate use of data, including apps and paired mobile phones, which can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists.'
South China Morning Post
09-03-2025
- Business
- South China Morning Post
How North Korea's unstoppable hackers are weaponising AI
In their relentless quest for foreign currency, North Korean cybercriminals have turned to artificial intelligence as a powerful new tool – one that analysts warn may be nearly impossible to block. Advertisement Despite efforts by major US-based AI companies, such as OpenAI and Google , to crack down on accounts linked to Pyongyang's state-backed hackers, cybersecurity experts say these measures are unlikely to stem the tide. Since late January, OpenAI, the creator of ChatGPT , and Google have announced measures to shut down accounts suspected of being tied to North Korean operatives. They have also revealed how their platforms have been manipulated for illicit purposes. But the regime's hackers and scammers can easily bypass restrictions using virtual private networks, shell companies and brokers, industry insiders warn. 'Threat actors will use the cheapest and most efficient tool to get the job done,' Rafe Pilling, director of threat intelligence at the US-based cybersecurity firm Secureworks, told This Week in Asia. 'Many cybercriminals prefer online services that are free to sign up for or can be paid for via cryptocurrency. This would likely be true for North Korean IT workers as well.' Advertisement North Korean operatives need not rely solely on US-based AI tools like ChatGPT or Google Gemini, either. Analysts point out that cheaper, more accessible generative AI platforms are being developed worldwide – and some may offer fewer safeguards against misuse.
