Norwegian tests have revealed that Chinese-made electric buses can be remotely accessed and potentially shut down by their manufacturer, prompting cybersecurity concerns and urgent reviews across European public transport operators.
The Norwegian public transport authority, Ruter, conducted tests that found Chinese supplier Yutong Group had direct digital access to its electric vehicles. This access was for software updates and diagnostics.
This capability theoretically allows remote interference with the buses or their complete shutdown.
Tests were carried out on both new Yutong buses and three-year-old Dutch VDL models. The vehicles were driven in isolated underground mines to eliminate external signals.
Results showed that only the Chinese-made buses possessed over-the-air software update functionality. This confirmed the manufacturer’s direct digital access to each individual bus.
Ruter considered removing SIM cards from the buses to prevent remote deactivation. However, this option was rejected as it would also disconnect the buses from other essential operating systems.
In Denmark, Movia, the largest public transport company, is now urgently reviewing its fleet. Movia operates 469 Chinese electric buses, including 262 manufactured by Yutong.
Jeppe Gaard, Movia’s Operations Director, acknowledged that internet-connected electric vehicles can be remotely deactivated. He learned this last week.
Gaard emphasized that this vulnerability is not exclusive to Chinese buses. He stated it is a problem for all types of vehicles and devices containing embedded electronic components with internet connectivity.
The Danish civil protection and emergency management agency, Samsik, also warned of potential risks. It noted that internet-connected subsystems, such as cameras, microphones, and GPS, could create vulnerabilities. These could be exploited to interrupt bus operations.
However, Samsik has not recorded any specific instances of electric buses being deactivated by such means.
Yutong Group, cited by The Guardian, stated it “strictly complies” with the laws and regulations in the locations where its vehicles operate. The company also clarified that data from its buses is stored in Germany.
An unnamed Yutong spokesperson further added that the data is encrypted. It is used exclusively for vehicle maintenance, optimization, and improvement to meet customer after-sales service needs.
Following the test results, the Norwegian operator Ruter announced it would implement more stringent security requirements. It also plans to enhance anti-cyber piracy measures.