Norway: Chinese-made electric buses have major security flaw, can be remotely stopped and disabled by their manufacturer in China, Oslo operator says
The public transport operator in Norway’s capital said Tuesday that some electric buses from China have a serious flaw – software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.
Oslo’s transport operator Ruter said they had tested two electric buses this summer – one built by China’s Yutong and the other by Dutch firm VDL.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.
“There is a risk that for example suppliers could take control, but also that other players could break into this value chain and influence the buses.”
Ruter said it was now developing a digital firewall to guard against the issue.
According to other reports, the Chinese manufacturer has access to each bus’s software updates, diagnostics, and battery control systems. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” the company said.
Ruter has reported its findings to Norway’s Ministry of Transport and Communications.
Arild Tjomsland, a special advisor at the University of South-Eastern Norway who helped conduct the tests, said: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”
[…]
Did they find an actual vulnerability or are they calling remote software updates and sending diagnostic data back to the manufacturer a vulnerability?
There’s no good reason to connect a bus to the internet, just do software updates when it gets maintained. There’s plenty of devices on Shodan.io that had no known vulnerabilities when they were new but are huge security risks now, from routers to printers to webcams.
Even if software updates come during maintenance, the same problem persists. The manufacturer can brick the damn thing via an update. The bricking just can’t that easily happen at any arbitrary moment.
If it’s truly offline, there is also less attack surface for non manufacturer approved malicious actors.
Every software has bugs. Every device that runs software and can be accessed remotely does have vulnerabilities. The problem is that we as a society think that it’s a good idea to have every toaster and every bus connected to the internet. Welcome to the internet of shit.
You can revert it to a older version though.
With most cars you flash the ECU with software using a diagnostic tool, if you don’t like the new version you can just flash a older version on there.
Or in many cases modify it and flash your custom version.
You don’t have that control if it’s all Internet dependant, and there’s no kill switch.
if the maker allows it. try that with your smartphone and it will irreversibly turn into an expensive brick. look up android rollback protection
Unless you can (and actually do) audit the entire software, you can’t know whether there isn’t any kill switch in it. Even if it’s just a simple timer that will break shit once the warranty has expired. Or something that reacts to a seemingly innocuous external trigger.
And we can never make cars 100% safe. That doesn’t mean we shouldn’t care about seat-belts, airbags, ABS and crumple zones.
Just because we can’t make the danger zero, doesn’t mean we shouldn’t do the bare minimum to mitigate the danger.
The Internet connection aspect can be made zero. Cars don’t really need computers.
Yes, and bare minimum is a good keyword, because sometimes, less is more. Especially when it comes to the amounts of software and connectivity. Complexity causes problems.
I am old enough to have ridden on buses that did run exactly zero software. And you know what? Those things would just keep on working for decades, despite rolling all day long every day every week all year round.
Exactly, we don’t need software updates on busses and especially don’t need them connected to the internet.
@alcoholicorn@hexbear.net
The typical question to downplay the issue.
Your account exists solely to play the issue up as far as you can get it to go, you’re a racist propagandist and you’re mad that people are correctly identifying you as such
Trying to understand the actual issue instead of just accepting the deceptive narrative the headline promotes is not downplaying the issue.
But “electric bus receives remote updates” fails to generate clicks or xenophobia.
You just don’t like it when someone doesn’t instantly accept whatever hostile evidence you’ve dredged up to support the agenda you constantly push.
Everything you needed to know was openly stated in the article. But you love riding that imaginary tall horse of yours.
Most people read vulnerability and assume an exploit was found, not that the bus uses an extremely common practice that applies to like 99% of EVs and 80% of modern ICE cars, but not these Dutch buses, apparently. Hell even some ICE motorcycles get remote updates.
For a public infrastructure, unattended remote updates are a vulnerability. This is clearly and openly explained in the article.
Especially for countries where vast majority of workforce commutes using said infrastructure. A single uncontrolled update could cripple not just transportation, but every other public service.
Whose fault is it if unattended?
@alcoholicorn@hexbear.net
Read the post:
The first European manufacturer of buses I can think of, Daimler also does it, this is an extremely common practice. It literally is only making the news to stoke sinophobia.
Why are you @ing my old account? I stopped using it after I traveled through China and found they blocked HB.
@alcoholicorn@hexbear.net
It doesn’t help if you ignore what others have written. Again, read the post:
The Chinese model had that, the Dutch model didn’t. It is apparently not “extremely common practice” as the Dutch model didn’t have that vulnerability.
Your statement is simply false. And this is not sinophobia but a simple fact.
It is so common the first 4 euro bus manufacturers I can think of all do it. There are no articles about MAN buses being vulnerable, nor Volvo, nor mercades. The fact that you didn’t look any of this up betrays that you don’t care about buses using OTA updates or whatever, only its utility as hostile evidence.
The whole account is russo-sino phobic so…
Yes. Also “spacewars.com”? This is a dogshit flamin garbage blog.
It’s also featured in norwegian national news.
This guy’s whole post history is… something