Norway: Chinese-made electric buses have major security flaw, can be remotely stopped and disabled by their manufacturer in China, Oslo operator says
The public transport operator in Norway’s capital said Tuesday that some electric buses from China have a serious flaw – software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.
Oslo’s transport operator Ruter said they had tested two electric buses this summer – one built by China’s Yutong and the other by Dutch firm VDL.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.
“There is a risk that for example suppliers could take control, but also that other players could break into this value chain and influence the buses.”
Ruter said it was now developing a digital firewall to guard against the issue.
According to other reports, the Chinese manufacturer has access to each bus’s software updates, diagnostics, and battery control systems. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” the company said.
Ruter has reported its findings to Norway’s Ministry of Transport and Communications.
Arild Tjomsland, a special advisor at the University of South-Eastern Norway who helped conduct the tests, said: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”
[…]
Don’t be a cheap cunt. Buy European.
https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains
Dont forget those polish trains, this is not simply a china vs west situation, this ridiculously wide spread. Lawmakers should have been all over this years ago!
It’s less about that. Buy things you actually own, independent of the supplier. Sure, I’d rather have a European supplier to control my stuff than Chinese one, it’s not even a competition, but come on.
All modern cars can be taken control over by manufacturer or law enforcement. Same as most phones and computers.
As the article points out, the competing VDL bus did not have that.
I looked up 4 european bus manufacters at random and whether they use OTA updates. They all did. It seems like the VDL bus is unusual, if it does infact not use OTA updates as the article says.
Yeah, that isn’t surprising, but I’m really glad it’s making headlings because IoT vehicles are a liability.
Also, really nice that you made the effort to check it yourself.
Bad news, that’s not what’s making headlines. This isn’t an article about smart devices introducing unnecessary attack surfaces, this is an article about the perfidious Chinese sneakily putting spyware into your buses. Hence why there’s a million articles about this one Chinese bus and none about the other 98% of buses in Europe and they call for boycotts of Chinese buses instead of banning OTA updates on buses.
I do still think it’s better than nothing for awareness. It’s not a massive leap to go from “chinese remotely brickable bus bad” to “any remotely brickable bus bad”.
I would have thought so. From OP post history and plenty of comments, apparently it’s not.
should we just accept that?
You have accepted that, hence why the anger is directed at China and not the 90% of so of buses in Europe who do the same thing. The solution presented isn’t “pass legislation that bans OTA updates on public infrastructure”, it’s “don’t buy Chinese”
No I know, this problem is far creater than just china, even if that can be argued to add one extra layer.
case in point https://www.404media.co/polish-hackers-repaired-trains-the-manufacturer-artificially-bricked-now-the-train-company-is-threatening-them/
Simply false.
Doesn’t matter, this kind of enshittification is universal to the automotive world.
It does matter, if there is ever a conflict between China and the EU, China can completely disable our infrastructure without firing a shot.
It would have the same effect as a nuke on all cities.
that’s how you invalidate all other things you said
Yeah, just like the other day when there was a problem with the overhead line which stopped all the trams and gave me radiation poisoning.
I’m not talking about buses only.
Let’s be real for a sec, the only thing that can turn a couple square miles of city into glass is a nuke. There is no alternative.
Obviously, but turning off all electronics in a city will have an immense impact.
I’m more concerned our own governments will do that, if we ever decide complacency isn’t serving us.
These two scenarios are not mutually exclusive. Both are bad and that’s why we shouldn’t have backdoors in software
Guess where many European manufacturers do have a lot of their components made, because it’s cheaper? If China wants to disable much more than just European infrastructure, they can simply do this by enacting an embargo.
In a conflict with China, we’re royally fucked in one way or another. Thanks to boundless corporate greed and political complicity.
The real problem here is over the air updates in a piece of infrastructure, even more so in a machine where a malfunction can endanger lives.
What if you simply didn’t go to war with your biggest trading partner?
What if you diversify trade to neutralize the bully?
We did that by trading with China instead of with the bully (USA). The EU fundamentally cannot manufacture most of the stuff it consumes because neoliberal policy doesnt allow for that. If you want to go to self-made stuff, you’d have to become the eastern block politically. Which I advocate for.
What does “become the eastern block politically” mean in this context?
Adopt policy of nationalization, full employment and self-sufficiency
In related news about a robot vacuum cleaner: https://infosec.exchange/@masek/115452385066637223
How about our policy were not to become enemies of thr largest manufacturing hub and rising world power with 3 times our population?
If a policy to remain independent means becoming the enemy of someone, it’s not the policy that’s the problem.
How are we China’s enemy? We’re the ones suddenly trying to nationalize companies like Nexperia. When did China do something like this? Obeying leader Trump in 5% military expenditure isn’t exactly being independent either.
@Socialism_Everyday@reddthat.com
What an absurdly flawed argument. China never did something like that simply because a foreign company is legally banned from owning its own Chinese subsidiary in the first place. You always need a Chinese partner that would then own the majority of “your” company.
I’m answering to the comment about “becoming their enemy by being independent”. I’m asking for evidence of China choosing Europe as its enemy, as I genuinely haven’t seen such hostile acts unless in retaliation from Europe choosing to suddenly become China’s enemy.
Well no, America chose to became China’s enemy, and Europe is following them as they have since WWII.
Hi! Person with knowledge of doing business in China as a “western company”. You start up your company and hire Chinese engineers. After a while many of them will quit and instead work for a newly created company across the street that do the exact same thing as you do (soon to be “did”).
Huh, I thought we loved free market competition in Europe. If you can’t keep your workers or compete against another firm, by market logic your business isn’t efficient and shouldn’t exist.
You’ve never held a job, correct? It would be difficult to explain not understanding “company secrets” otherwise.
As someone who has also experience of doing business in China as a “Western company”: Yes, that’s exactly the way it is.
Bill Gates and Apple. Both are shit business models, but this isn’t a “Chinese specific” thing.
You do realise that China defined ‘restricted’ industrial sectors where foreigners at most can form a joint venture with a Chinese company which must own more than the foreign one? We granted far more liberties to the Chinese than the other way round.
That still doesn’t respond to my initial question of when China has designated Europe as its enemy, which is why I brought up the particular event of escalation of economic warfare that Europe decided to engage in this very week.
You can call it “enemy”, you can call it “rival”, or whatever you like: China views itself as in competition with us and hence will naturally try to shift things in their favour. Which is completely fine by me, that’s just how it goes if you want to be a major power. But we shouldn’t pretend that our interests, i.a. a strong Europe, is China’s interest. Because it isn’t.
From the OP post:
The Dutch model is obviously inferior /s
Where internet? Where AI?
At least most motorcycles are safe, as long as you stay away from like BMW and Harley
BMW be like:
Still not as bad as having to register a new subscription each time you want to use a blinker.
So that’s why Beamer drivers don’t use blinkers!
They’re not allowed. These kinds of things must be placed to the open market and the best offer must be accepted