Norway transport firm tightens security after Chinese buses found hackable

Don't want to miss the best from Business Standard?

A leading Norwegian public transport operator has said it will introduce stricter security requirements and step up anti-hacking measures after a test on new Chinese-made electric buses showed the manufacturer could remotely turn them off.

Transport operator Ruter said test results published last week showed that Chinese bus maker Yutong Group had access to their control systems for software updates and diagnostics. In theory, this could be exploited to affect the bus," it said.

The tests with buses driven in underground mines to strip away external signals were conducted both on brand-new Yutong buses and on three-year old vehicles from Dutch bus manufacturer VDL, the company said. It said the tests showed that the Dutch buses didn't have the ability to conduct over-the-air software updates, while the Chinese-made buses did.

Yutong did not immediately respond to requests from The Associated Press on Wednesday seeking comment.

The Guardian newspaper, which reported on the issue, cited a statement from the Chinese company that said it strictly complies with the laws and rules of places where its vehicles operate. The statement said data about its buses was stored in Germany.

The newspaper cited an unidentified Yutong spokesperson saying the data is encrypted and is used solely for vehicle-related maintenance, optimisation and improvement to meet customers' after-sales service needs.

According to Yutong's website, the company has sold tens of thousands of vehicles across Europe, Africa, Latin America and the Asia-Pacific region in recent decades.

The study was initiated in part over concerns about surveillance, at a time when many countries in Europe, North America and beyond have been taking steps to protect data about consumers and remote operations.

Broader worries about remote control of EVs  The findings showed that "the manufacturer has direct digital access to each individual bus for software updates and diagnostics, said Ruter, which says it runs half of Norways's public transport and operates in Oslo and the eastern Akershus region.

Concerns about remote control of electric vehicles are not new: U.S. regulators in January opened a probe into Teslas after reports of crashes involving the use of company technology that allows drivers to remotely command their vehicle to return to them, or move to another location, using a phone app.

The Yutong buses are operated by people they are not driverless vehicles like taxis and shuttles in places like California and China.

Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus's data systems, Ruter CEO Bernt Reitan Jenssen said in a statement.

Buses can't be operated remotely or their camera images transmitted  Cameras in the buses are not connected to the internet, so there is no risk of image or video transmission from the buses, said Ruter, which has more than 100 Yutong buses in its fleet. The buses cannot be operated remotely, it said.

Still, Ruters said the manufacturer can access the control system for battery and power supply via mobile network. It said that means that in theory, buses can be stopped or rendered inoperable by the manufacturer.

The Norwegian company said it's responding by imposing tougher security rules in future procurement, developing firewalls that ensure local control and prevent hacking, and working with authorities on clear cybersecurity requirements.

It's also taking steps to delay inbound signals, so that we can gain insight into the updates being sent before they reach the bus.