Norwegian public transport operator Ruter has identified potential cybersecurity vulnerabilities in Yutong electric buses after conducting a series of tests on software and control systems. The findings revealed that the Chinese manufacturer has digital access for software updates and diagnostics, which, in theory, could allow remote manipulation of around 850 Yutong buses operating in Norway.
“In theory, this could be exploited to influence the bus,” Ruter said in a statement. However, the operator stressed that the issue is only theoretical and clarified that “the bus cameras are not connected to the Internet – there is no risk of image or video transmission from the buses.” The investigation focused on over-the-air update systems, which are common in modern vehicles to streamline software maintenance.
See also: Scotland’s McGill’s Adds 30 Yutong Electric Buses in £14 mln Investment
The test, conducted “in an isolated environment inside a mountain” during the summer, found that Yutong had external access to the battery and power management system through a Romanian SIM card. This could theoretically allow the manufacturer to disable a bus remotely. In contrast, a similar test on a VDL electric bus showed no such vulnerabilities, as the Dutch-built vehicle lacks over-the-air update capability.
“This comprehensive and unique test enables us to equip the buses with the right protection,” said Bernt Reitan Jenssen, CEO of Ruter. “Public transport in Oslo and Akershus must have access to the most advanced technology and the highest security. Following these tests, Ruter’s concerns have turned into concrete knowledge of how we can implement security systems that protect us from unwanted activities or hacking attempts on the buses’ computer systems.”
See also: Poland’s Bialystok Orders 30 Yutong Electric Buses in Second Procurement Round
Ruter said it has met with Norway’s Ministry of Transport and Communications, which supports efforts to strengthen cybersecurity standards. The operator plans to introduce its own firewalls to ensure local control, tighten security requirements in future bus tenders, and collaborate with local and national authorities to establish clearer cybersecurity protocols.