Chinese electric bus manufacturer Yutong has denied allegations that its vehicles operating in Europe can be remotely accessed or controlled from China, following cybersecurity concerns raised by Norwegian public transport operator Ruter. The company said that key systems such as steering, braking, and acceleration cannot be manipulated via software connections.
Earlier this week, Ruter said its security tests identified potential cybersecurity risks linked to over-the-air (OTA) software updates in Yutong’s electric buses. The operator warned that digital access for diagnostics and updates could, in theory, allow remote manipulation of the buses’ control systems.
See also: Scotland’s McGill’s Adds 30 Yutong Electric Buses in £14 mln Investment
Yutong dismissed those claims, telling Germany’s Berliner Zeitung that “such control is technically impossible.” The manufacturer explained that while its electric buses maintain a data link for diagnostics and software updates, there is “no physical connection between the T-Box main control unit and safety-critical systems such as propulsion, steering, or braking.” The company added that all data from its European vehicles are stored at an Amazon Web Services (AWS) data centre in Frankfurt and are “protected through encryption and strict access control.”
Yutong further clarified that OTA updates occur only with an operator’s explicit approval and are limited to non-safety features such as user interfaces, diagnostic software, and comfort functions. Some remote functions, such as interior preconditioning before service, are available to operators, but the company emphasized it “has no access to those systems,” which are managed entirely by local operators.
See also: Poland’s Bialystok Orders 30 Yutong Electric Buses in Second Procurement Round
Ruter later said its findings were based on a theoretical risk and that no incidents involving Yutong buses had been reported. Nonetheless, the issue has added momentum to a broader European debate over the use of Chinese-made technology in public transport and critical infrastructure.
According to The Guardian, Denmark’s national civil protection authority has launched an investigation following the Norwegian reports. Movia, Denmark’s largest public transport operator, runs 469 electric buses built in China, including 262 supplied by Yutong. The Danish agency said it was unaware of any incidents but acknowledged that connected components such as GPS units, cameras, and sensors could present potential vulnerabilities.
