The problem was identified during an inspection initiated by the transport agency Ruter, which decided to assess the level of digital security of its buses. For this purpose, two electric buses were placed in a Faraday room—a space shielded from external electromagnetic signals. During the experiment, specialists examined the software and telemetry of the buses to rule out the possibility of external interference.
The results were alarming: functions were discovered in the control systems that allow the manufacturer to remotely disable the vehicles. This concerns diagnostic modules, power controllers, and battery packs. Ruter informed the government about the capabilities that were identified and emphasized that the manufacturer could theoretically stop or block the buses, as reported by securitylab.
Later, representatives of Yutong clarified that this vulnerability does not pose an immediate threat to passenger safety, as external control of the buses is impossible. However, access to disabling them does exist. As a precaution, Ruter disconnected the network modules and removed the SIM cards from all 300 Yutong electric buses operating in the capital, as well as from 550 similar vehicles in other regions of Norway.
Unlike Yutong, the electric buses from the Dutch company VDL do not have such functions, which has sparked a discussion in Norway about dependence on Chinese technologies. A representative of the Naval Academy, Ståle Ulriksen, expressed concern over the disregard for warnings from intelligence agencies regarding the risks associated with digital control by foreign manufacturers.
Engineers note that built-in remote access mechanisms are often created not with malicious intent, but to simplify equipment maintenance and reduce costs. These technologies allow for quick troubleshooting without the need for specialist travel. Such approaches are used in various industries, including ports and "smart" cars.
However, cost savings on maintenance also raise security questions. Previously, American specialists discovered "shadow" communication modules in Chinese-made solar inverters that were not listed in the documentation. These devices can bypass protective mechanisms and potentially disable power plants, which in the event of a large-scale failure could lead to power outages.
The incident with the Norwegian buses has become another example of infrastructure vulnerability, where key components are manufactured outside the country and have insufficiently documented remote access functions.
