A pressing security concern has emerged in Denmark, where authorities are racing to address a critical vulnerability in Chinese-made electric buses. This issue, which has sparked urgent investigations, revolves around the remote deactivation capability of these buses, raising serious questions about potential security risks.
The Norwegian transport authorities, who also operate these Yutong buses, discovered that the Chinese supplier maintained remote access to the vehicles' control systems, ostensibly for software updates and diagnostics. However, this access could potentially be exploited to disrupt bus operations while in transit, a scenario that has prompted a thorough examination of the situation.
Amid these concerns, the Norwegian public transport authority, Ruter, took proactive measures by testing two electric buses in an isolated environment. The testing revealed vulnerabilities that Ruter is now addressing, with plans to implement stricter security requirements for future procurements.
Movia, Denmark's largest public transport company, operates a significant fleet of 469 Chinese electric buses, including 262 manufactured by Yutong. Movia's Chief Operating Officer, Jeppe Gaard, acknowledged that electric buses, like electric cars, can be remotely deactivated if their software systems have web access. He emphasized that this is not an issue exclusive to Chinese buses but rather a concern for all vehicles and devices with Chinese electronics.
The Danish agency for civil protection and emergency management has warned Movia about the potential vulnerabilities in these buses, specifically highlighting the presence of subsystems with internet connectivity and sensors (cameras, microphones, GPS) that could be exploited. Yutong, the Chinese manufacturer, maintains that it strictly adheres to applicable laws, regulations, and industry standards in the locations where its vehicles operate. The company's vehicle terminal data in the EU is stored at an Amazon Web Services (AWS) datacentre in Frankfurt, with strict data protection measures in place, including storage encryption and access control.
Thomas Rohden, the chair of the Danish China-Critical Society and a regional Social Liberal party councillor, has criticized Denmark's slow response to the issue of dependence on Chinese companies. He believes that Denmark's reliance on a country with vastly different values and ideals is a significant problem, especially in the context of alleged hybrid attacks by Russia, where resilience is crucial.
The Norwegian ministry of transport has declined to comment on the matter.
