Norway discovers that its Chinese-made buses can be switched off remotely by manufacturer Jalopnik

European transport authorities are concerned after a Norwegian operator discovered a security flaw in China’s Yutong electric buses, allowing the buses to be switched off remotely, the agency said. Associated press. Norwegian transporter Ruter conducted underground security tests, where no outside signals could penetrate, and discovered a previously unknown system that enabled wireless updates and remote diagnosis. Further investigation revealed that although the security camera footage was not accessible and the bus could not be controlled remotely, it was still possible to disable the propulsion system even while the bus was moving. There are no known examples of this actually happening, but even the possibility has raised some eyebrows in safety. From AP:

“After these tests, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activities or hacking of the bus’s data systems,” Ruter CEO Bernt Reitan Jenssen said in a statement.

Carscopes says that Ruter discovered Romanian SIM cards on the buses, allowing them to connect to the outside world. Romania is a member of the European Union and using SIM cards from there not only ensures connectivity with other EU countries, but also compliance with the EU’s General Data Protection Regulation (GDPR), which imposes strict data privacy rules on anyone doing business in the EU. Ruter considered removing these SIM cards from Yutong buses to close this security hole, but ultimately decided against it as other necessary systems could be negatively affected.

In a statement to The GuardianYutong said it “strictly complies with applicable laws, regulations and industry standards of the locations where its vehicles operate.” It also confirmed that data from vehicles driving in the EU was stored on an Amazon Web Services server in Frankfurt, Germany, rather than being transferred to Chinese servers.

Last week, Euan Stainbank, the Labor MP for Falkirk, and Jim Allister, the Traditional Unionist Voice MP for North Antrim, said it was “increasingly clear that the amount of Chinese-made electric buses on UK roads could potentially pose a national security risk”.

However, Pelican paints a very different picture of the situation than what both British and Norwegian operators have said.

Last week, Ian Downie, head of Yutong sales at Pelican, said Yutong “fully understands and deeply appreciates the public’s concerns regarding vehicle safety and data privacy protection.”
He said the remote control systems can be used for comfort-based needs such as AC scheduling, but not for acceleration, steering or braking.
Mr Downie added: “All software updates are managed by Pelican with only manual physical access to the vehicles, with prior written consent from customers.”

This contradicts Ruter’s discovery of pre-installed SIM cards for OTA updates on the Yutong buses he tested. It is possible that the situation is different in Britain, or that Downie may not be aware of their existence once installed, as Ruter was until testing them. Even remote access to air conditioning, something Ruter didn’t mention, opens up the possibility of a malicious hack, disabling the system on a hot summer day and making riding the bus an even worse experience than it already is.

Jeppe Gaard, Movia’s chief operating officer, said he was made aware last week that “electric buses – like electric cars – can be deactivated remotely if their software systems have internet access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices that have Chinese electronics built into them.”

Safety is the reason the Biden administration cited for banning Chinese cars, hardware and software early this year. But even cars and parts that don’t come from China are vulnerable to such problems. Few vehicles are more American than the Jeep Wrangler, yet a buggy OTA update has bricked many hybrid models in much the same way as the Yutong bus’s vulnerability. It was an honest accident with no malicious intent, but it happened anyway. The risks increase if the manufacturer, independent hackers or even the Chinese government have malicious intentions.

Updates don’t even have to disable the vehicle to be annoying. Several Tesla owners have sued the company over claims that updates reduce their range or drain their batteries. Yet many manufacturers insist that you install OTA updates whether you like it or not, and even threaten to revoke warranty coverage if you don’t. We now live in a connected world, with all the benefits and obligations that come with it.