In a revelation that has sent shockwaves through Europe’s public transportation sector, Norwegian authorities have uncovered hidden remote-access capabilities in electric buses manufactured by Chinese company Yutong. These features, including concealed SIM cards and software backdoors, allow for potential remote shutdowns from abroad, prompting an urgent review of cybersecurity protocols in critical infrastructure.
The discovery came during routine security tests conducted by Ruter, Oslo’s public transport operator, on a fleet of newly acquired Yutong buses. According to reports, the buses contain embedded systems that enable remote diagnostics, software updates, and even control over battery and power systems—capabilities that could theoretically halt operations from thousands of miles away in China.
This incident highlights growing concerns over supply chain vulnerabilities in the era of connected vehicles, where electric buses represent a key component of sustainable urban mobility. Industry experts warn that such hidden features could be exploited not just by manufacturers but by malicious actors, raising alarms about national security in an increasingly digitized transport landscape.
…
Details emerged from a security audit initiated after Ruter tested the buses’ connectivity features. As reported by Scandasia, hidden remote-access SIM cards were found, allowing unauthorized external control. “We have identified risks related to remote access that could potentially affect the operation of the buses,” a Ruter spokesperson stated in the article.
…
Broader Implications for Transport Security
Norway’s case is not isolated. Similar concerns have surfaced in other sectors, but this marks a significant escalation in public transport. According to Cybernews, the remote control extends to the buses’ diagnostics module and battery systems, potentially allowing for mass disruptions.
The Norwegian government, as detailed in a report by Anadolu Ajansı, is now reviewing cybersecurity risks across all public transport assets. “Manufacturer access allows buses to be stopped from China,” Ruter confirmed, prompting immediate action to mitigate threats.
Industry insiders point to this as a wake-up call for Europe. A recent article in Focus on Travel News noted that Norway is investigating these buses after finding they can be remotely accessed, raising broader concerns about foreign-made critical infrastructure.
…
The Poblem isn’t Chinese backdoors as such, but remote access for manufacturers in general. Enshittification of infrastructure via manufacturers bricking shit through remote access needs to stop. Remember when a train manufacturer from Poland was repeatedly bricking trains whenever they were maintained by an independent workshop?
In addition to more domestic corpos being just as bad, it’s important to realize that if the manufacturer can do it remotely, a hacker can do it remotely. Convenience isn’t worth the security risk.
And Newag, the shitty polish manufacturer, fucking sued the hackers that unlocked those trains, unbelievable
Yes, that’s one of the reasons why I made my other comment about spineless corrupt governments cowering before their corporate overlords.
There are other problems with buying infrastructure and other important equipment from China, but back doors for remote bricking are universal and not specific to Chinese equipment. And as long as producing such equipment is allowed and the practice of remotely bricking it is legal, or even worse, you can drag those who try to prevent it to court, we’ll be seeing more of it.
The remote access devices can be a good thing. The issue is one of control. Given the software driven nature and complexity of devices, bugs are inevitable. Having a way for the manufacturer to distribute those updates remotely is a good thing as it lowers costs, and makes it more likely the updates get deployed. That said, the ability to enable and disable that remote access system needs to be in the hands of the customer, not the manufacturer.
As an example, many years ago I worked for a company which manufactured physical access control systems (think those stinking badges and readers at office buildings). And we had two scenarios come up which illustrate the issue quite well. In the first case, the hardware which controlled the individual doors had a bug which caused the doors to fail unlocked. And based on the age of the hardware the only way to update the firmware was to physically go to the device and replace an EEPROM. I spent a very long day wandering a customer’s site climbing a ladder over and over again. This was slow, expensive and just generally not a great experience for anyone involved. In the second case, there were database issues with a customer’s server. At that time, these systems weren’t internet connected so that route for support didn’t exist. However, we shipped each system with a modem and remote access software. So, the customer hooked up the modem, gave us a number to dial in and we fixed the problem fairly quickly. The customer then unplugged the modem and went about breaking the system again.
Having a way for the manufacturer to connect and support the system is important. They just shouldn’t have free run of the system at all times. The customer should also be told about the remote support system before buying the system and be able to turn it off. Sure, it’s possible to have reasonably secure remote logins on the internet (see: SSH or VPN), but it’s far more secure to just not have the service exposed at all. How many routers have been hacked because the manufacturers decided to create and leave in backdoors?
It can be a good thing, but is it really necessary everywhere?
What went wrong with the world so a bus has an onboard computer for anything else than displaying scheduling information that can be updated and accessed remotely these days? I grew up riding on buses that had exactly zero computers, and guess what? Those things were reliable and robust, they would run for decades despite pretty much non stop rolling all day every day all year long. They had millions of kilometers on the clock. All without a single computer. If you wanted, you could retrofit one of those old things with a computerised scheduling display quite easily (all you need is a suitable computer/display unit that runs on 24V DC), but that wouldn’t interfere with the basic function of the bus.
There are many more examples of machinery that has a shitload of remotely accessible computers built into it, but would work just fine without.
Remote access and updating brings convenience, but automatically also brings insecurity, because where someone authorised can remotely access something, there is also a way in for someone unauthorised if they’re just trying hard enough. And “trying hard enough” doesn’t necessarily mean defeating some technical security mechanism, but can simply consist of fooling some poor idiot to give away their credentials. And with that intrinsic vulnerability, we need to decide where we want that and where not.
No, this is not a ‘Chinese’ problem, but as a European I would rather have this problem with a European supplier than with a Chinese supplier for having control over the trains on the continent (or my car, or any technology). But I agree that there shouldn’t be remote access in the first place.
As long as we’re having a bunch of corrupt, spineless governments cowering before their corporate overlords, it doesn’t matter a bit whether the perpetrators of such bricking are located right next door or in China. Because nothing will be done to stop them.