3 hours ago
6
Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit.
Amid concerns over potential security risks, the Norwegian public transport authority Ruter decided to test two electric buses in an isolated environment.
Bernt Reitan Jenssen, Ruter’s chief executive, said: “The testing revealed risks that we are now taking measures against. National and local authorities have been informed and must assist with additional measures at a national level.”
Their investigations found that remote deactivation could be prevented by removing the buses’ sim cards, but they have not done this because it would also disconnect the bus from other systems.
Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even “more integrated and harder to secure”.
Movia, Denmark’s largest public transport company, has 469 Chinese electric buses in operation – 262 of which were manufactured by Yutong.
Jeppe Gaard, Movia’s chief operating officer, said he was last week made aware that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”
Gaard said the Danish agency for civil protection and emergency management told it that it was not aware of any specific cases in which electric buses had been deactivated, but warned that the vehicles were equipped with “subsystems with internet connectivity and sensors (cameras, microphones, GPS) that can constitute vulnerabilities which could be exploited to disrupt bus operations”.
Yutong said it “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate” and that Yutong vehicle terminal data in the EU were stored at an Amazon Web Services (AWS) datacentre in Frankfurt.
A spokesperson added: “This data is used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs. The data is protected by storage encryption and access control measures. No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
Thomas Rohden, the chair of the Danish China-Critical Society and a regional Social Liberal party councillor, said Denmark has been “way too slow” when it came to dependence on Chinese companies.
“This is a huge problem. We should not be so dependent on a country that has values and ideals so different to Denmark,” Rohden said. He added that at a time when Denmark was trying to increase its resilience amid allegations of hybrid attacks by Russia “it’s not very resilient to be totally dependent on China”.
The Norwegian ministry of transport declined to comment.
