Forgot your password?
Close
typodupeerror
Security China Transportation

Danish Authorities In Rush To Close Security Loophole In Chinese Electric Buses (theguardian.com) 43

Posted by BeauHD from the remote-control dept.
An anonymous reader quotes a report from the Guardian: Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems -- which could be exploited to affect buses while in transit.

Amid concerns over potential security risks, the Norwegian public transport authority Ruter decided to test two electric buses in an isolated environment. Bernt Reitan Jenssen, Ruter's chief executive, said: "The testing revealed risks that we are now taking measures against. National and local authorities have been informed and must assist with additional measures at a national level." Their investigations found that remote deactivation could be prevented by removing the buses' sim cards, but they decided against this because it would also disconnect the bus from other systems.

Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even "more integrated and harder to secure." Movia, Denmark's largest public transport company, has 469 Chinese electric buses in operation -- 262 of which were manufactured by Yutong. Jeppe Gaard, Movia's chief operating officer, said he was made aware of the loophole last week. "This is not a Chinese bus problem," he said. "It is a problem for all types of vehicles and devices with Chinese electronics built in."
This discussion has been archived. No new comments can be posted.

Danish Authorities In Rush To Close Security Loophole In Chinese Electric Buses More

Danish Authorities In Rush To Close Security Loophole In Chinese Electric Buses

Comments Filter:

  • Access does at least appear to be encrypted (Score:5, Informative)

    by Vlad_the_Inhaler ( 32958 ) on Wednesday November 05, 2025 @06:20PM (#65775932)

    Samsik confirmed that it had been contacted by Movia and said that it was “not aware of any specific cases of deactivation of electric buses”.

    (snip)

    Yutong said it “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate” and that Yutong vehicle terminal data in the EU were stored at an Amazon Web Services (AWS) datacentre in Frankfurt.

    A spokesperson added: “This data is used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs. The data is protected by storage encryption and access control measures. No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”

    The summary implies that remote deactivation is not that difficult, that does not appear to be the case.
    I'm not really familiar with Tesla vehicles, do they have remote deactivation? Does any other car manufacturer have that?

    • Re: (Score:1)

      by Anonymous Coward

      Didn't Musk deactivate some Tesla cars in Russia?

    • Re:Access does at least appear to be encrypted (Score:4, Interesting)

      by thesandbender ( 911391 ) on Wednesday November 05, 2025 @06:46PM (#65775996)
      The statement from the Yutong could be a little weasel worded. The article is talking about remote deactivation, the spokesperson is talking about data-collection. Nothing in the quoted statement addresses remote control. Chinese companies have a history of doing this when responding to this type of thing. 'A' is broken. What are you talking about, 'B' is just fine... nothing to see here! They misdirect or just flat out lie (Anker with their Robovacs being a recent, good example).

    • Certainly a Tesla kill switch is feasible. I bet law enforcement would love that. Hell, a Tesla suicide-and-murder-by-car switch is feasible. I doubt such software has been written, but it's 100% doable. Musk has few to no morals.

      • Re: (Score:2)

        by jezwel ( 2451108 )

        Certainly a Tesla kill switch is feasible. I bet law enforcement would love that. Hell, a Tesla suicide-and-murder-by-car switch is feasible. I doubt such software has been written, but it's 100% doable. Musk has few to no morals.

        not written eh?

        https://electrek.co/2025/10/16... [electrek.co]

        • Hah! Good point. But that's just the more realistic driver mode for FSD, as opposed to sitting in the left lane at 60 like most Tesla drivers do.

          The thing you have to realize about Teslas is that, despite having massively wonderful motors, excellent efficiency, and strong (though no longer leading) battery designs, they have utter shit for suspension. Thus, even with 500 HP, they are driven like grandma cars. Meanwhile, a grandma in a 200 HP BMW will drive twice as fast.

    • I'm not really familiar with Tesla vehicles, do they have remote deactivation?

      Yes. It's a feature Tesla use quite actively during test drives. Tesla claims to never apply it to a purchased car once the title is transferred though.

    • ... any other car manufacturer ...

      The manufacturers of cars and car electronics have not admitted to such technology. Spyware and driver assistant, OnStar, have claimed such control over the manufacturer's hardware. Russian owners of Cyber-trucks have also made such claims against Tesla.

    • Re: (Score:2)

      by rta ( 559125 )

      Does any other car manufacturer have that?

      All or most GM vehicles have had that since ~2009. They used to advertise it on TV about how they'll stop the car if it's stolen.
      see e.g. https://www.youtube.com/watch?... [youtube.com]

      Tesla also offers some stuff like this. Ford claims not to... but not sure.

    • Tesla and other automakers have the ability to push emergency firmware updates. In Teslaâ(TM)s case, every car is continuously connected through a built-in, Tesla-managed cellular service, allowing the company to update nearly any subsystem remotely. This means they could, in theory, push drivetrain firmware that doesnâ(TM)t function correctly. Itâ(TM)s also very likely that they have more straightforward âoelockdownâ options too.
      • So then the question isn't even whether they could shut down a car today. The question is could they push the firmware to do it if they wanted do. The answer is almost definitely yes.

      • Oh, good to know and thus stay away from Tesla cars. Until they implement a persistent kill switch (not for the car but for RF emissions), I'm not going to buy one.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Came to say, this is standard on many vehicles from other countries too. Tesla can remotely brick cars, disable DC charging capability, remove features that the owner paid for etc. Many vehicles have some kind of telemetry interface now, especially commercial ones where it's seen as a feature (for tracking, driver monitoring, anti-theft, maintenance).

      There was a bit of a controversy when Hyundai introduced a "feature" via software update that allowed them to geofence or remotely disable vehicles.

      The only di

    • Re: (Score:2)

      by TWX ( 665546 )

      I'd be much more concerned that if the buses are also tunneling back to the polity's network that there's now a vulnerable IoT device that allows using the method to do maintenance to then hop into another network.

      This seems like something that doesn't need to be in a vendor cloud.

  • shutdown now (Score:5, Funny)

    by darkain ( 749283 ) on Wednesday November 05, 2025 @06:31PM (#65775956) Homepage

    ssh [hostname]
    shutdown now -h

    (just wait until they learn there is a security flaw in most computers that allows them to be remotely deactivated as well)

    • Yes. This is why .ssh/authorized_keys needs to be carefully managed as part of any security plan.

      But I'm just a dumb bus driver. What do I know about the internets? Let the vendor figure it out.

  • Someone had better tell them about Tuya:

    https://community.home-assistant.io/t/tuya-security-concerns-in-the-news/363597

  • I think the backdoor isn't Chinese in the sense of the government or the country, it's more of a vendor problem globally. Vendors do this to keep control of what they sell, to be able to force customers to buy support subscriptions on pain of having the product stop working if they don't. Vendors from countries other than China do this just as often. We should be worried about what all vendors do, not just Chinese vendors.

  • If your device can choose on its own who in the world to connect to then the manufacturer has complete control over the device. About the only devices I can think of that don't are zigbee devices but that's because you completely control the network the device is on. If the device has Wi-Fi,r cellular or satellite connectivity then you don't have complete control.

    If Danish actually cared about security they would control the cellular module and only allow it to connect to their servers. The fact they

  • Pop quiz, hotshot. There's a software bomb on a bus. Once the bus goes 50 miles an hour, the bomb is armed. If it drops below 50, it blows up. What do you do? What do you do?

  • If only a strange hybrid of John Deere and Tesla built buses, those would not have this problem, right?

    Right?

    I don't know why large buyers, in particular, allow end-to-end encrypted traffic between the vendor and the products the buyer ostensibly owns.

    At the very least, the traffic should be open to inspection by the buyer, who should be able to selectively turn off or disable aspects of it.

    • Re: (Score:2)

      by cusco ( 717999 )

      Wouldn't EU privacy rules would require the encryption?

      • Yes, the problem with 'end-to-end encrypted traffic' is one end is the device, and the other end is the manufacturer. The supposed owner gets no look at the data 'his' device is sending

        If (say) the bus services a naval base, very sensitive information may be transmitted (stop location, duration, schedule, internal fuel level...)

  • So crying "China!" is once again misplaced.

  • a default deny firewall for the win?

  • Not correct (Score:3)

    by SuperDre ( 982372 ) on Thursday November 06, 2025 @07:17AM (#65776982) Homepage
    "This is not a Chinese bus problem," he said. "It is a problem for all types of vehicles and devices with Chinese electronics built in." That last sentece should ommit "chinese", as US electronics are even known to have backdoors, so do not only point fingers at china, but at every electronics used, no matter which country it was devised in.

    • Norway and Denmark need to be worried that the US will shut down and crash their buses in the event of a war with the US.

Slashdot Top Deals

After all is said and done, a hell of a lot more is said than done.

Close