By AP with Euronews
Published on
•Updated
A leading Norwegian public transport operator has said it will introduce stricter security requirements and step up anti-hacking measures after a test on new Chinese-made electric buses showed the manufacturer could remotely turn them off.
Transport operator Ruter said test results published last week showed that Chinese bus maker Yutong Group had access to their control systems for software updates and diagnostics.
“In theory, this could be exploited to affect the bus,” it said.
The tests — with buses driven in underground mines to strip away external signals — were conducted both on brand-new Yutong buses and on three-year old vehicles from Dutch bus manufacturer VDL, the company said. It said the tests showed that the Dutch buses didn’t have the ability to conduct over-the-air software updates, while the Chinese-made buses did.
Yutong did not immediately respond to requests on Wednesday seeking comment.
The Guardian newspaper, which reported on the issue, cited a statement from the Chinese company that said it “strictly complies” with the laws and rules of places where its vehicles operate. The statement said data about its buses was stored in Germany.
The newspaper cited an unidentified Yutong spokesperson saying the data is encrypted and is “used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs”.
According to Yutong’s website, the company has sold tens of thousands of vehicles across Europe, Africa, Latin America, and the Asia-Pacific region in recent decades.
The study was initiated in part over concerns about surveillance, at a time when many countries in Europe, North America, and beyond have been taking steps to protect data about consumers and remote operations.
Broader worries about remote control of EVs
The findings showed that “the manufacturer has direct digital access to each individual bus for software updates and diagnostics,” said Ruter, which says it runs half of Norway’s public transport and operates in Oslo and the eastern Akershus region.
Concerns about remote control of electric vehicles are not new: US regulators in January opened a probe into Tesla after reports of crashes involving the use of company technology that allows drivers to remotely command their vehicle to return to them, or move to another location, using a phone app.
The Yutong buses are operated by people — they are not driverless vehicles like taxis and shuttles in places like California and China.
“Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems,” Ruter CEO Bernt Reitan Jenssen said in a statement.
‘All types of vehicles’ of this type at risk
In nearby Denmark, transport company Movia said it was reviewing risk assessments when it comes to cybersecurity and espionage on scheduled buses, and possible measures to prevent hacking, misuse of data, and risks of disabling the bus.
Movia said Danish authorities had not signaled any cases of buses being deactivated, but it was looking for ways to eliminate vulnerabilities.
The new findings, it said, were presented at the InformNorden traffic conference by advisers from the University of South-Eastern Norway and showed that neither a hacker nor the supplier could take control of the bus.
“It is also important to emphasise that the Norwegian senior advisers stated that this is not a Chinese bus concern, it is a problem for all types of vehicles and devices with these kind of electronics built in,” Movia said in an email.
Tougher security rules
Cameras in the buses are not connected to the internet, so “there is no risk of image or video transmission from the buses,” said Ruter, which has more than 100 Yutong buses in its fleet. The buses cannot be operated remotely, it said.
Still, Ruter said the manufacturer can access the control system for battery and power supply via mobile network. It said that means that in theory, buses “can be stopped or rendered inoperable by the manufacturer”.
The Norwegian company said it’s responding by imposing tougher security rules in future procurement, developing firewalls that ensure local control and prevent hacking, and working with authorities on “clear cybersecurity requirements”.
It’s also taking steps to delay inbound signals, “so that we can gain insight into the updates being sent before they reach the bus”.