Chinese buses have major security flaw, says Oslo operator
www.spacewar.com
Oslo (AFP) Oct 28, 2025 - The public transport operator in Norway's capital said Tuesday that some electric buses from China have a serious flaw - software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.

Archived

Norway: Chinese-made electric buses have major security flaw, can be remotely stopped and disabled by their manufacturer in China, Oslo operator says

The public transport operator in Norway’s capital said Tuesday that some electric buses from China have a serious flaw – software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.

Oslo’s transport operator Ruter said they had tested two electric buses this summer – one built by China’s Yutong and the other by Dutch firm VDL.

The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.

“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.

“There is a risk that for example suppliers could take control, but also that other players could break into this value chain and influence the buses.”

Ruter said it was now developing a digital firewall to guard against the issue.

According to other reports, the Chinese manufacturer has access to each bus’s software updates, diagnostics, and battery control systems. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” the company said.

Ruter has reported its findings to Norway’s Ministry of Transport and Communications.

Arild Tjomsland, a special advisor at the University of South-Eastern Norway who helped conduct the tests, said: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”

[…]

  • Slotos@feddit.nlEnglish
    121·
    23 hours ago

    The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.

    Everything you needed to know was openly stated in the article. But you love riding that imaginary tall horse of yours.

    • Alcoholicorn@mander.xyzEnglish
      1316·
      23 hours ago

      Most people read vulnerability and assume an exploit was found, not that the bus uses an extremely common practice that applies to like 99% of EVs and 80% of modern ICE cars, but not these Dutch buses, apparently. Hell even some ICE motorcycles get remote updates.

      • Slotos@feddit.nlEnglish
        161·
        23 hours ago

        For a public infrastructure, unattended remote updates are a vulnerability. This is clearly and openly explained in the article.

        Especially for countries where vast majority of workforce commutes using said infrastructure. A single uncontrolled update could cripple not just transportation, but every other public service.

        • Maeve@kbin.earth
          11·
          12 hours ago

          unattended remote updates are a vulnerability

          Whose fault is it if unattended?