Denmark examines potential cybersecurity gap in Chinese-made electric buses, The Guardian reports
Authorities in Denmark have opened an investigation into a possible cybersecurity vulnerability affecting several hundred Chinese-built electric buses, The Guardian reports. The move follows findings in Norway indicating that certain Yutong vehicles could be accessed remotely through systems used for diagnostics and software updates. According to Norwegian operator Ruter, in fact, tests conducted on two […]
Authorities in Denmark have opened an investigation into a possible cybersecurity vulnerability affecting several hundred Chinese-built electric buses, The Guardian reports. The move follows findings in Norway indicating that certain Yutong vehicles could be accessed remotely through systems used for diagnostics and software updates.
According to Norwegian operator Ruter, in fact, tests conducted on two buses in an isolated environment revealed that the manufacturer retained the ability to connect remotely to vehicle control systems.
Yutong: we comply with the applicable laws, regulations, and industry standards
In Denmark, public transport authority Movia handles 469 Chinese-made electric buses, including 262 supplied by Yutong. As of late 2024 Movia achieved goal of 50% zero emission bus fleet ahead of plans. Movia’s chief operating officer Jeppe Gaard is quoted on The Guardian saying that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access. This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”
However, it must be stressed that these risks cannot be attributed to the origin of the product, but rather to technological innovation introduced in new generations of buses, which now incorporate OTA updates. This applies not only to Yutong models but also to other modern buses, as the OTA capabilities are also introduced on the new Mercedes eIntouro for instance.
Gaard noted that the Danish Agency for Civil Protection and Emergency Management has not recorded any instances of remote shutdowns. However, the agency warned that onboard systems equipped with internet connectivity, sensors, cameras, microphones, and GPS modules could represent exploitable vulnerabilities.
Yutong replied, still as mentioned on the British newspaper, that “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate. This data is used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs. The data is protected by storage encryption and access control measures. No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
The company also specifies that Yutong vehicle terminal data in the EU were stored at an Amazon Web Services (AWS) datacentre in Frankfurt.
Investigators in Norway concluded that removing the vehicles’ SIM cards would block remote deactivation but would also disable other essential connected services. Ruter has announced plans to introduce stricter cybersecurity requirements in upcoming tenders, noting that future vehicle generations will likely be “more integrated and harder to secure”.
