Following Norway's announcement last week that Oslo’s Chinese electric buses could be remotely disabled by their manufacturer, the United Kingdom, which also operates hundreds of these vehicles, has launched its own investigation.
According to a report from Financial Times (FT), officials at the Department for Transport (DfT) are working with the National Cyber Security Centre to determine whether Yutong, the world’s largest bus manufacturer, has the ability to access the control systems of its vehicles in the UK for software updates and diagnostics.
That’s exactly what the Norwegian investigation has found. Oslo’s public transportation agency, Ruter, tested two electric bus models inside a Faraday cage room and found that they could be disabled via remote control capabilities found in the bus software, diagnostics module, and battery and power control systems.
Ruter disabled web connectivity on the buses by removing SIM cards from the onboard modems. This was done on all of the 300 Yutong electric buses in Oslo and 550 buses elsewhere in the country.
Denmark soon also opened its own review and, unsurprisingly, concluded the risks were the same. Danish authorities also found that remote deactivation of the buses could be prevented by removing their SIM cards, but decided against this because it would also disconnect the buses from other systems.
Now, the UK – Yutong has supplied roughly 700 electric buses to the country – is also looking to investigate the issue.
“We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities,” a DfT spokesperson told FT.
Yutong’s buses in the UK mostly serve smaller towns and villages, but the company is also planning to expand into London’s market with a new double-decker electric model designed to meet Transport for London (TfL) standards.
So far, no contract has been signed. TfL said: “Any buses entering service in London have to meet our robust technical requirements, including rigorous testing.”
According to critics, if the manufacturer could deactivate the buses, it would likely wreak havoc on Britain’s transport network at a moment’s notice.
Steve Tsang, director of the China Institute at SOAS University of London, said the security flaw made it possible for “Beijing to order Yutong or any Chinese company to remotely immobilise their vehicles.”
Remote control systems are simply cheaper for the manufacturers. They don’t have to send support teams across the world because, quite obviously, they can repair the devices remotely.
“It would be a very major act, close to war, but it can happen, and we should not put ourselves in a position that we expose our critical infrastructure to such a risk,” Tsang told Daily Mail.
This might be a storm in a teacup, of course. Remote control systems are simply cheaper for the manufacturers. They don’t have to send support teams across the world because, quite obviously, they can repair the devices remotely.
That’s what Yutong’s position seems to be. The firm told The Sunday Times that its data collection practices are limited to “vehicle-related maintenance, optimization, and improvement,” and that all data is encrypted and access-controlled.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked