Cybersecurity gaps in Norwegian Yutong buses?

According to Ruter, digital access to control systems for software updates and diagnostics could, in theory, allow 850 Yutong buses in Norway to be manipulated remotely. The operator’s statement remains deliberately factual, simply noting that the Chinese manufacturer “has digital access to the control systems for software updates and diagnostics.”

Ruter adds: “In theory, this could be exploited to influence the bus,” and emphasises that “the bus cameras are not connected to the Internet – there is no risk of image or video transmission from the buses.”

In other words, the issue concerns a theoretically possible remote connection, which is necessary for performing software updates over the air. Possibly because Yutong is a Chinese company, some media outlets have reported the story in a less neutral tone than Ruter itself. A German outlet even claims that “the investigation showed that 850 Yutong buses in Norway could be remotely controlled and even completely stopped from China.”

In fact, the test took place during the summer “in an isolated environment inside a mountain” – a disused mine – to prevent any potential mobile network connection and external interference. The analysis revealed that Yutong had external access to the battery and power management system, specifically via a Romanian SIM card. This means the manufacturer could – at least theoretically – disable a bus remotely. A parallel test on a three-year-old electric bus from VDL showed better results, as the vehicle does not support over-the-air updates and thus has no external access points. However, it also cannot receive wireless software updates.

Ruter also noted that the systems in the Yutong bus were “barely integrated”, meaning they were not particularly well concealed, as would be expected if a hidden backdoor for remote deactivation were intended.

The bus has only one access point to critical functions. “This makes it easy to isolate from the outside world. We can also delay signals sent to the bus to review updates before they reach it. Such mechanisms are currently being implemented,” Ruter stated. Security experts discovered vulnerabilities in a Chinese software update platform used by Yutong, among others. “The vulnerabilities have been reported to the platform provider and have since been fixed,” the operator said.

“This comprehensive and unique test enables us to equip the buses with the right protection. Public transport in Oslo and Akershus must have access to the most advanced technology and the highest security,” said Bernt Reitan Jenssen, CEO of Ruter. “Following these tests, Ruter’s concerns have turned into concrete knowledge of how we can implement security systems that protect us from unwanted activities or hacking attempts on the buses’ computer systems.”

Ruter has met with the Ministry of Transport and Communications, which “wants to work with us to find a solution.” The company plans to tighten security requirements for future procurements, develop its own firewalls “to ensure local control and protect against hacking”, and cooperate with local and national authorities to establish clear cybersecurity standards.

“Buses currently have the same level of functionality as passenger cars from 2016. It is true that as driver assistance and autonomous systems become more widespread, the risk increases if measures are not taken in advance,” the company stated.

ruter.no (statement in Norwegian), sustainable-bus.com

This article was first published by Sebastian Schaal for electrive’s German edition