Concern Rising About 'Security Loopholes' in Chinese Buses

Authorities in two countries in northern Europe and Australia have voiced concern that a Chinese supplier of electric buses may have the capacity to remotely deactivate them.

Transport officials in Norway and Denmark are investigating the apparent “security loophole” in hundreds of buses, according to a report by The Guardian this week, following news that the supplier of Yutong buses “had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit.”

Norwegian public transport operator Ruter published test results last week that showed the bus-maker Yutong Group had access to buses’ control systems for software updates and diagnostics on the model they tested.

ALSO SEE: China’s Exports Sink in Worst Trade Downturn Since February

Ruter found that remote deactivation could be prevented if SIM cards in the buses were removed, but they had not done this yet, as it would also disconnect the bus from other systems. They are now seeking help from national authorities and stricter security requirements for any procurements in the future.

In Denmark, Jeppe Gaard, the chief operating officer for Movia, the country’s largest public transport company, said he found out last week that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”.

‘A problem with all Chinese vehicles’

“This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in,” he was quoted as saying.

Gaard was not aware of cases of buses being deactivated, but said that vehicles equipped with “subsystems with internet connectivity and sensors (cameras, microphones, GPS) that can constitute vulnerabilities which could be exploited to disrupt bus operations.”

Meanwhile, the news has also created concern among cybersecurity experts in Australia, because Yutong’s Australian division says it has delivered more than 1,500 vehicles there over the past 13 years, although only about a tenth of that number are reported to be battery-powered electric buses.

‘All connected vehicles’

Alaistair MacGibbon, a former head of the Australian Cyber Security Centre, was quoted as telling ABC News that all “connected” vehicles, such as electric vehicles, require constant connectivity with manufacturers who have access to microphones, cameras, and GPS devices.

“They have to be able to update software and firmware. That means they can degrade the device, turn it off, turn off certain features, and the fundamental point here is it’s not about made in China, but controlled by China,” he said.

“The problem is, of course, that if a company is domiciled in China, they obviously come under the lawful direction of the CCP [Chinese Communist Party].”

MacGibbon has reportedly urged officials in Canberra to consider preventing public servants or politicians from using electric vehicles made in China, and having them on government property, the ABC report said.

A Yutong spokesperson was quoted as saying that no-one in Australia “is allowed to unlawfully access or view the data” without customer authorisation and the company “strictly complies with Australian data protection laws and regulations”.

“Yutong vehicles in Australia do not support remote control of acceleration, steering, or braking signal,” the spokesperson said.

“Yutong only collects vehicle operational data, which is transmitted via the onboard terminal through the local mobile network directly to the AWS [Amazon Web Services] data centre in Sydney.”

A spokesperson for VDI, the distributor of Yutong vehicles, was quoted as saying that while they have “over-the-air” capability, VDI’s practice in Australia “is to perform vehicle software updates physically at authorised service centres, with customer consent — not remotely.”