cross-posted from: https://scribe.disroot.org/post/5486763
In a revelation that has sent shockwaves through Europe’s public transportation sector, Norwegian authorities have uncovered hidden remote-access capabilities in electric buses manufactured by Chinese company Yutong. These features, including concealed SIM cards and software backdoors, allow for potential remote shutdowns from abroad, prompting an urgent review of cybersecurity protocols in critical infrastructure.
The discovery came during routine security tests conducted by Ruter, Oslo’s public transport operator, on a fleet of newly acquired Yutong buses. According to reports, the buses contain embedded systems that enable remote diagnostics, software updates, and even control over battery and power systems—capabilities that could theoretically halt operations from thousands of miles away in China.
This incident highlights growing concerns over supply chain vulnerabilities in the era of connected vehicles, where electric buses represent a key component of sustainable urban mobility. Industry experts warn that such hidden features could be exploited not just by manufacturers but by malicious actors, raising alarms about national security in an increasingly digitized transport landscape.
…
Details emerged from a security audit initiated after Ruter tested the buses’ connectivity features. As reported by Scandasia, hidden remote-access SIM cards were found, allowing unauthorized external control. “We have identified risks related to remote access that could potentially affect the operation of the buses,” a Ruter spokesperson stated in the article.
…
Broader Implications for Transport Security
Norway’s case is not isolated. Similar concerns have surfaced in other sectors, but this marks a significant escalation in public transport. According to Cybernews, the remote control extends to the buses’ diagnostics module and battery systems, potentially allowing for mass disruptions.
The Norwegian government, as detailed in a report by Anadolu Ajansı, is now reviewing cybersecurity risks across all public transport assets. “Manufacturer access allows buses to be stopped from China,” Ruter confirmed, prompting immediate action to mitigate threats.
Industry insiders point to this as a wake-up call for Europe. A recent article in Focus on Travel News noted that Norway is investigating these buses after finding they can be remotely accessed, raising broader concerns about foreign-made critical infrastructure.
…
This week I read an article from march 2025 about asian (read chinese) PCBs and why they are dangerous. The scary part was, that inside the layers of a PCB the manufacturer could hide parts like chips for espionage or fuses to short a circuit that are hard or impossible to detect:
In addition, specific manipulation scenarios are examined. The study demonstrates that it is technically possible to integrate additional components – such as spy chips – into the inner layers of multilayer PCBs. These often remain undetected even during X-ray examinations. Weaknesses in design, such as in the layout of capacities, can also be exploited to enable side-channel attacks. These are attacks that do not directly target algorithms or data, but exploit physical or logical side effects of a system. Attackers observe and analyse these side effects to extract protected information or algorithms.
Here is the article, but it’s in German: https://www.all-electronics.de/elektronik-fertigung/warum-asiatische-leiterplatten-so-guenstig-und-gefaehrlich-sind/725088
There have also been cases where communication equipment which was not part of the original design was found in Chinese solar power inverters: https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/
With such manipulated inverters I guess it could be possible to power down a good chunk of pv generators to destabilize the power grid. This could come in handy for China if they decide to take Taiwan (but this is just a very wild speculation from my part!).
What about the remote updates in every single windows computer that runs everything in Europe?
Is that not a concern?
This is not a backdoor. This is the remote update „feature“ that customers want.
You somehow have managed to ignore the current review much of the EU is undergoing with regard to the software infra that is used and who maintains it. The West is going through some shit right now over your exact point - so why the whataboutism?
Well. Buses and trucks are usually not as tightly integrated as, say, the operating system of a computer, or the inverter of a photo voltaic system. So to disable this telemetry and over the air update capability, you can simply unplug the connectivity ECU (or its fuse). It will likely trigger a warning indication on the driver instrument cluster, but that’s it.
An easy fix like this is not really there for windows or other Microsoft infrastructure.
And to your point that things are being done to reduce the dependency on Microsoft… I have yet to see any serious efforts in this direction. All I have read about are relatively small instances.
I’d say the whole of French police is a tad above a neglect able instance.
You are absolutely right. But they are working on it for I think 20 years now. Which is really great, but not a new development based on recent political discussions.
The problem isn’t Chinese back doors as such, but the enshittification of infrastructure with remote access that alows manufacturers to brick shit whenever they like. Remember those trains in Poland that were remotely shut down whenever their manufacturer saw that they were maintained by a third party?
No, this is not a ‘Chinese’ problem, but as a European I would rather have this problem with a European supplier than with a Chinese supplier for having control over the trains on the continent (or my car, or any technology). But I agree that there shouldn’t be remote access in the first place.
But it was cheeeeeapeeerrrrr. And therefore better by definition.
Oh yes the stupidity of “cheapest bidder wins the contract” is monumental. And comes with a whole bunch of follow-up costs, both literally and figuratively.
The cheapest bid should be automatically deleted.
Your response is so weirdly succinct and ends with a whataboutism, like a state actor. Let’s agree that China is fucked up for doing this and needs to learn to stay in their lane.
This rarely seemes to be an issue with other foreign made products like Microsoft, Apple, Amazon etc. I would’ve thought that one would want all critical infrastructure to be made in country.
This rarely seems to be an issue yet.
Yet.
That’s what I was getting at, but I obviously messed it up!
Meanwhile
Teslaevery other Internet connected Thing… 🙈Meanwhile pretty much every manufacturer of “modern” machinery. Enshittification is universal.
Guess what folks. I will bet with 100% certainty that all electric vehicles have this feature/glitch and people are only scared because China won’t share their data with them. Sino Panic much?!
You lost your bet. The Norwegians also tested a Dutch model, and it hasn’t had that feature.
That aside, China is not exactly among the countries with the friendliest governments. It should be clear that no one can want someone else to have control over its infrastructure. And, yes, China is not the only problem. The point is that here in the Lemmyverse you can criticize everyone, but if you criticize China there comes some whataboutism.
They tested all their buses. Only this one had it.
Not the Dutch ones for instantce
Because the Dutch guys could turn them off so it’s not a problem to them? I’m just throwing shit at the wall here. I have zero clue, just sounds like more anti China propaganda?! I’m just some chump from Canada fyi.
Yeah because you just react to the headline instead of reading the article
