- Recent cybersecurity tests on Yutong electric buses indicate potential for remote disabling by the manufacturer.
- Comparison between cloud-connected Yutong buses and VDL buses with no remote update functions reveals varying vulnerability levels.
- Transportation authorities in Denmark and Australia are urged to reassess and enhance cybersecurity protocols for electric buses.
On November 7, 2025, the realm of public transportation confronted a pivotal juncture between futuristic advancement and alarming susceptibility.
A series of meticulously controlled cybersecurity assessments conducted by Ruter, Norway’s foremost transit operator, uncovered that Chinese-manufactured Yutong electric buses—currently operational across Europe and Australia—could, in theory, be disabled remotely by their producer.
These revelations, initially reported following an evocative underground experiment in Sandvika, Norway, have resonated throughout Denmark, Australia, and beyond, inciting a vigorous dialogue over the security of connected vehicles and their ramifications for national infrastructures.
Titled the “Lion Cage” experiment, these tests were executed at Franzefoss in Sandvika, an underground facility designed to obstruct external signals.
Ruter’s team, in collaboration with cybersecurity specialists from Telenor Group and the University of South-Eastern Norway, scrutinized two distinct buses: a newly delivered Yutong model and a three-year-old VDL bus.
Their objective was unequivocal—to detect vulnerabilities that could enable cyber adversaries or external entities to disrupt bus operations or infiltrate sensitive systems.
The findings were disconcerting. The Yutong bus, boasting cloud-integrated connectivity, afforded the manufacturer direct digital access for crucial software updates and diagnostics, encompassing vital systems like battery management.
This set-up theoretically enabled the manufacturer to remotely disrupt or even incapacitate the bus. Conversely, the VDL bus, lacking such remote update capabilities, presented a significantly lower risk profile.
Ruter elucidated that while both buses’ onboard cameras were not internet-connected—thus eliminating live video streaming—other embedded systems remained vulnerable through mobile networks.
“This testing has transitioned Ruter from mere apprehension to actionable insights regarding how to implement security frameworks that shield us from unauthorized interventions,” stated Ruter CEO Bernt Reitan Jenssen, as cited by Bus-News.
He underscored the necessity of robust security measures as the next generation of buses incorporates even more advanced technologies.
“We have a crucial temporal window to enact these essential security enhancements. This window is promising, and we are already operationalizing strategies to substantially bolster our resilience.”
The Norwegian revelations garnered immediate attention from Denmark’s transportation agencies. Movia, the country’s largest public transport operator, operates 469 Yutong electric buses, with 262 models emanating from the manufacturer.
Jeppe Gaard, Movia’s Chief Operating Officer, expressed astonishment at the degree of possible remote control, asserting, “This issue transcends solely Chinese buses; it pertains to all contemporary vehicles replete with electronic capabilities and network connectivity.”
Denmark’s civil protection entity, Samsik, acknowledged that no buses had been remotely disabled; however, authorities are poised to tighten cybersecurity mandates for forthcoming vehicle acquisitions.
Suggested measures encompass enhancing firewalls, postponing over-the-air software updates, and reassessing network access protocols.
This discourse extends far beyond the confines of Europe. In Australia, where Yutong has supplied over 1,500 vehicles since 2012—including 133 battery electric city buses—similar cybersecurity anxieties have surfaced.
The Australian distributor, VDI, clarified that software updates for Yutong buses in Australia are customarily executed at service centers rather than remotely. Nonetheless, cybersecurity experts remain apprehensive.
Alastair MacGibbon, the former head of the Australian Cyber Security Centre, emphasized that the issue is not confined to the origin of manufacture.
“Every ‘connected’ vehicle, particularly electric variants, necessitates persistent connectivity with manufacturers possessing access to microphones, cameras, and GPS,” he remarked to ABC.
MacGibbon urged the Australian government to contemplate restricting the presence of Chinese-made electric vehicles on government premises, citing potential national security threats.
Yutong representatives have consistently asserted their adherence to local regulations in all operational territories.
In Europe, the company stated that all vehicle data is securely housed in Amazon Web Services data centers located in Frankfurt, Germany, encrypted, and governed by stringent access protocols. A company spokesperson conveyed to The Guardian that the data is “utilized exclusively for the maintenance and enhancement of full-service services.”
In Australia, Yutong emphasized that “no unauthorized parties are permitted to access or view the data” without express customer authorization and that vehicles “do not facilitate remote control over acceleration, steering, or braking signals.” Operational information is transmitted through local mobile networks to data centers in Sydney.
Despite these assurances, experts like Dennis Desmond, a former FBI official now affiliated with the University of the Sunshine Coast, harbor persistent skepticism.
“Until comprehensive clarity is provided about what data is collected, the frequency of collection, the destination of such data, and who holds access rights, I maintain a significant degree of concern regarding the risks posed by these vehicles, particularly in the context of national security,” Desmond articulated in correspondence with ABC.
He posited that all imported smart devices, beyond merely those from China, should undergo thorough assessments concerning data collection, storage, and transmission risks prior to deployment in sensitive capacities.
In the interim, Ruter is not awaiting international consensus. The Norwegian operator has proactively embarked on instituting more rigorous cybersecurity and infrastructure prerequisites for all future bus acquisitions.
This includes engineering novel firewall solutions to deter unauthorized remote access, ensuring buses can be expediently isolated from the internet by detaching onboard SIM cards, and deferring inbound digital signals to enable inspection of software updates before they reach the vehicles.
Ruter is also joining forces with national and local authorities to delineate explicit cybersecurity standards for public transport.
The overarching narrative is unmistakable: as urban centers globally electrify their public transport fleets, the benefits and efficiencies associated with connected vehicles are intertwined with emerging vulnerabilities.
Earlier this year, the U.S. Department of Commerce enacted a ban on the sale of connected hardware and software systems from Russia and China, mirroring escalating trepidations regarding foreign control over critical infrastructure.
Even tire manufacturers like Pirelli, whose Cyber Tire technology has connections to China, are subject to heightened scrutiny.
As of now, no incidents of actual remote shutdowns have been reported in Norway, Denmark, or Australia.
Yet, as Movia’s Jeppe Gaard and cybersecurity experts on multiple continents have indicated, the risks associated with connected vehicles—irrespective of their country of origin—are both tangible and escalating.
The imperative for governments, operators, and manufacturers lies in striking a balance between embracing technological innovation and safeguarding the systems that underpin urban mobility.
As public transport operators and policymakers endeavor to remedy these vulnerabilities, one undeniable truth emerges: the future of mobility will hinge as much on cybersecurity as it will on battery efficacy or passenger comfort.
The opportune window for action, as articulated by Ruter’s CEO, is presently ajar—but it may not remain so for long.
Source link: Evrimagaci.org.
