The Ruter found potential cybersecurity risks in the buses of the Chinese brand Yutong, which can be accessed remotely through a “gateway” to control the vehicle’s control systems, alongside remote over-the-air updates. The Norwegian public transport operator conducted tests in a controlled environment with two buses, one new from Yutong and another, three years old, from VDL, for comparative purposes, having identified potential issues with unauthorized access to the vehicle’s operational systems, allowing them to be disabled remotely or to face other operational problems.
In a statement, Ruter indicates that the security of the images is not at stake, but “the Chinese supplier has digital access to the control systems for ‘software’ updates and diagnostics. In theory, this could be exploited to affect the bus. There is access to the battery and power supply control system through the mobile network, via a Romanian SIM card. Therefore, in theory, this bus could be stopped or rendered inoperable by the manufacturer. There is a low degree of integration between the bus systems, and there is only one output and access to the bus’s critical functionality. This makes it easier to isolate it from contact with the outside world. We can also delay the signals to the bus, so we can obtain information about the updates sent before they reach the bus. These mechanisms are now being implemented”, assures the company, which is already developing solutions to prevent potential risk situations, in collaboration with security authorities. It also confirms that it intends to implement more elaborate security requirements for vehicles to be used, aiming to act before the arrival of the next generation of buses, so that “it becomes more integrated and difficult to protect.”
This case has caught the attention of the authorities in Denmark, where there are 262 Yutong vehicles in operation serving the transport company Movia, which, according to the British newspaper The Guardian, is now investigating ways to avoid such cybersecurity risks in its vehicles. However, in statements quoted by the British newspaper, the Operations Director of Movia, Jeppe Gaard, explains that the risk of buses being deactivated remotely while connected to the network “is not exclusive to Chinese buses. It is a problem for all types of vehicles and objects with Chinese electronic components inside”. No issues of malfunctioning buses due to cyberattacks have been reported, but it has been pointed out by the civil protection and emergency management agency, Samsik, that there are subsystems that pose vulnerabilities to the correct and desired operation of the vehicles.
For its part, Yutong assures that its buses scrupulously comply with all cybersecurity requirements in force in Europe, and that the data collected is preserved on the continent, specifically in the Amazon Web Services (AWS) data center in Frankfurt, Germany. According to The Guardian, a spokesperson for Yutong stated that the data collected by the buses is related “merely for the purpose of vehicle maintenance, optimization, and improvements to meet customer after-sales service needs”.
