Norway: Chinese-made electric buses have major security flaw, can be remotely stopped and disabled by their manufacturer in China, Oslo operator says
The public transport operator in Norway’s capital said Tuesday that some electric buses from China have a serious flaw – software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.
Oslo’s transport operator Ruter said they had tested two electric buses this summer – one built by China’s Yutong and the other by Dutch firm VDL.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.
“There is a risk that for example suppliers could take control, but also that other players could break into this value chain and influence the buses.”
Ruter said it was now developing a digital firewall to guard against the issue.
According to other reports, the Chinese manufacturer has access to each bus’s software updates, diagnostics, and battery control systems. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” the company said.
Ruter has reported its findings to Norway’s Ministry of Transport and Communications.
Arild Tjomsland, a special advisor at the University of South-Eastern Norway who helped conduct the tests, said: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”
[…]
As the article points out, the competing VDL bus did not have that.
I looked up 4 european bus manufacters at random and whether they use OTA updates. They all did. It seems like the VDL bus is unusual, if it does infact not use OTA updates as the article says.
Yeah, that isn’t surprising, but I’m really glad it’s making headlings because IoT vehicles are a liability.
Also, really nice that you made the effort to check it yourself.
Bad news, that’s not what’s making headlines. This isn’t an article about smart devices introducing unnecessary attack surfaces, this is an article about the perfidious Chinese sneakily putting spyware into your buses. Hence why there’s a million articles about this one Chinese bus and none about the other 98% of buses in Europe and they call for boycotts of Chinese buses instead of banning OTA updates on buses.
I do still think it’s better than nothing for awareness. It’s not a massive leap to go from “chinese remotely brickable bus bad” to “any remotely brickable bus bad”.
I would have thought so. From OP post history and plenty of comments, apparently it’s not.