European transport authorities are concerned after a Norwegian operator discovered a security vulnerability in Chinese-made Yutong electric buses, which could allow for the remote shutdown of the buses, according to the Associated Press. Norwegian transport operator Ruter conducted security tests underground, where no outside signals could penetrate, and discovered a previously unknown system enabling over-the-air updates and remote diagnostics. Further investigation revealed that, although security camera footage was inaccessible and the bus could not be driven remotely, it was still possible to shut down the drive system, even while the bus was in motion. There are no known instances of this actually occurring, but even the possibility has raised some security eyebrows. From AP:
“Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems,” Ruter CEO Bernt Reitan Jenssen said in a statement.
Carscoops elaborates that Ruter discovered Romanian SIM cards in the buses, enabling them to connect to the outside world. Romania is a member of the European Union, and using SIM cards from there ensures not only connectivity with other EU countries but also compliance with the EU’s General Data Protection Regulation (GDPR), which imposes strict data privacy regulations on anyone doing business in the EU. Ruter considered removing these SIM cards from Yutong buses to close this security gap, but ultimately decided not to since other necessary systems could be adversely affected.
In a statement to The Guardian, Yutong said it “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate.” It also affirmed that data from vehicles operating in the EU was stored on an Amazon Web Services server in Frankfurt, Germany, rather than being transferred to Chinese servers.
Other countries are also concerned
Transit authorities in other countries that use Yutong buses are understandably concerned. Great Britain has around 700 Yutong buses in operation under the management of British company Pelican Bus and Coach, according to The Telegraph.
Last week, Euan Stainbank, the Labour MP for Falkirk, and Jim Allister, the Traditional Unionist Voice MP for North Antrim, said it was “increasingly clear that there is potential for the quantity of Chinese-manufactured electric buses on UK roads to represent a national security risk”.
However, Pelican paints a rather different picture of the situation from what both UK and Norwegian operators have said.
Last week, Ian Downie, head of Yutong sales for Pelican, said Yutong “fully understands and highly values the public’s concerns regarding vehicle safety and data privacy protection”.
He said the remote control systems could be used for comfort-based needs, such as AC scheduling, but not for acceleration, steering or braking.
Mr Downie added: “All software updates are controlled by Pelican with manual physical access only to the vehicles, with prior written authorisation by customers.”
This contradicts Ruter’s discovery of pre-installed SIM cards for OTA updates on the Yutong buses it tested. It’s possible the situation is different in the UK, or that Downie is unaware of their existence if they are installed, as Ruter was until its testing. Even remote access to air conditioning, something Ruter did not mention, opens up the possibility of a malicious hack, turning off the system on a hot summer day and making riding the bus an even worse experience than it already is.
Not just a Chinese issue
Denmark’s Movia transport company runs 262 Yutong buses in its fleet. It, too, is quite concerned about the potential for remote deactivation. But its chief operating officer made an excellent point in a statement to The Guardian:
Jeppe Gaard, Movia’s chief operating officer, said he was last week made aware that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”
Security is the reason the Biden Administration cited for banning Chinese cars, hardware, and software early this year. However, even cars and components not from China are vulnerable to such issues. Few vehicles are more American than the Jeep Wrangler, yet a buggy OTA update bricked many hybrid models in much the same way as the Yutong bus vulnerability could. It was an honest accident with no malicious intent, but it still happened. The risks increase if the manufacturer, independent hackers, or even the Chinese government has malicious intent.
Updates don’t even have to disable the vehicle to be annoying. Several Tesla owners sued the company over claims that updates reduced their range or killed their batteries. Yet many manufacturers insist that you install OTA updates whether you like them or not, even threatening to pull warranty coverage if you don’t. We now live in a connected world, with all the benefits and liabilities that come with it.
