Norwegian public transport operator Ruter is increasing security measures for its fleet of Chinese-made electric buses. Recent tests revealed that the manufacturer, Yutong Group, could remotely access the vehicles' control systems for software updates and diagnostics. This discovery has prompted concerns about potential vulnerabilities and the need for stricter cybersecurity protocols.
Key Takeaways
- Chinese bus manufacturer Yutong can remotely access Norwegian public transport buses.
- Ruter, Norway's major transport operator, is implementing tougher security requirements.
- The concern extends to all types of vehicles with similar built-in electronics.
- New firewalls and delayed signal processing will enhance bus security.
Remote Access Capabilities Uncovered
Tests conducted by Ruter, which manages approximately half of Norway's public transport, confirmed that Yutong Group has direct digital access to each of its buses. This access is primarily for software updates and diagnostic checks. While intended for maintenance, the capability raises questions about potential misuse.
The tests involved both new Yutong buses and older vehicles from Dutch manufacturer VDL. Crucially, the Chinese-made buses demonstrated the ability to receive over-the-air software updates, a feature not present in the Dutch models. This highlights a key difference in their technological architecture.
"In theory, this could be exploited to affect the bus," Ruter stated, acknowledging the potential risks associated with such remote access.
Bus Fleet Details
- Ruter operates over 100 Yutong buses in its fleet.
- The company manages public transport in Oslo and the eastern Akershus region.
Concerns Beyond Bus Operations
The findings come amid broader international discussions about surveillance and data protection. Many countries, including those in Europe and North America, are actively working to safeguard consumer data and remote operational systems. The remote access capability of the Yutong buses fits into this larger context of cybersecurity worries.
While Yutong has stated it complies with local laws and stores data in Germany, Ruter's tests have prompted a re-evaluation of security protocols. The company did not immediately respond to requests for comment regarding the test results.
Broader Implications for Electric Vehicles
Concerns about remote control are not exclusive to public buses. In January, US regulators initiated a probe into Tesla after reports of incidents involving its technology. This technology allows drivers to remotely command their vehicles using a phone application. However, the Yutong buses in Norway are operated by human drivers, not driverless systems.
Global Context of Remote Vehicle Control
The ability of manufacturers to remotely access or control vehicles is a growing area of concern. As more vehicles become connected and software-dependent, the potential for cybersecurity vulnerabilities increases. This issue extends beyond public transport to personal electric vehicles as well.
Ruter's Response and Future Security Measures
Following these revelations, Ruter is moving from theoretical concern to concrete action. The transport operator plans to implement new security systems to protect against unwanted activity or hacking. This proactive approach aims to ensure the safety and reliability of its public transport services.
Bernt Reitan Jenssen, CEO of Ruter, emphasized the importance of this shift. "Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems," he explained.
New Security Protocols
- Tougher Procurement Rules: Future contracts for new buses will include stricter cybersecurity requirements.
- Firewall Development: Ruter is creating firewalls to ensure local control and prevent hacking attempts.
- Delayed Signal Processing: Steps are being taken to delay inbound signals, allowing Ruter to review updates before they reach the buses.
- Collaboration with Authorities: Ruter is working with Norwegian authorities to establish clear cybersecurity standards for public transport vehicles.
The company confirmed that cameras within the buses are not connected to the internet, eliminating the risk of image or video transmission. While the buses cannot be operated remotely, the manufacturer's access to the battery and power supply control systems via mobile networks means, in theory, buses could be stopped or rendered inoperable.
A Widespread Industry Challenge
Nearby Denmark's transport company, Movia, is also reviewing its risk assessments regarding cybersecurity and espionage on scheduled buses. While Danish authorities have not reported any deactivation incidents, Movia is seeking ways to eliminate vulnerabilities.
Experts from the University of South-Eastern Norway, who presented the findings, noted that this issue is not specific to Chinese buses. They stated it is a problem for all types of vehicles and devices with these kind of electronics built in. This highlights a broader industry challenge that requires comprehensive solutions across the automotive and public transport sectors.
The ongoing efforts by Ruter and other transport operators underscore the critical need for robust cybersecurity frameworks as vehicles become increasingly connected and reliant on advanced digital systems. Protecting these systems is vital for public safety and operational integrity.
