Chinese-made electric buses operating in Oslo, Norway, can be remotely stopped and disabled by their manufacturer in China, according to security tests conducted by Norwegian authorities.
According to a report by Aftenposten, public transport operator Ruter tested two electric buses this summer, one built by a European company and another by Chinese manufacturer Yutong, to evaluate potential digital vulnerabilities.
The results showed that while the European-made bus operated independently, the Yutong vehicle could be remotely accessed and controlled by its manufacturer. Ruter confirmed that the Chinese company has access to the bus’s software updates, diagnostics, and battery systems, meaning it could, in theory, be rendered inoperable from abroad.
Arild Tjomsland, a cybersecurity advisor at the University of South-Eastern Norway who participated in the tests, said the Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally. Although the buses cannot be driven remotely, Tjomsland warned that disabling them could disrupt transport or be used as leverage in a crisis.
Ruter CEO Bernt Reitan Jenssen said the company is now cooperating with authorities to bolster cybersecurity across Oslo’s public transport network.
Transport Minister Jon-Ivar Nygard said that the government will further assess risks associated with vehicles from countries “with which Norway does not have security policy cooperation.”
Ruter currently operates more than 300 Chinese-made buses in Oslo. As a precaution, buses can be disconnected from the internet by removing their SIM cards, ensuring “local control should the need arise.”
The remote control problem isn’t limited to electric buses. Similar remote access features have been found in Chinese-manufactured port cranes deployed in the US, as well as Chinese-made smart cars, solar panels, and numerous other devices containing Chinese-manufactured chips. It’s also worth noting that many of these remote control or monitoring systems are included for legitimate reasons such as diagnostics, maintenance, or remote technical support. However, there’s always a risk that these features could be exploited for malicious purposes.