Denmark is currently investigating a potential security vulnerability in its fleet of electric buses manufactured by Yutong, following a similar discovery in Norway. The concern centers around the possibility that these buses could be remotely deactivated, raising questions about national security and the risks associated with increasingly connected vehicles.
The Vulnerability Explained
The issue stems from a remote access function built into the buses, which Yutong claims is intended for software updates and technical troubleshooting. In Norway, the public transport operator Ruter found that its Yutong buses contained a Romanian SIM card enabling this remote access. While there’s no evidence of malicious activity, the possibility remains that unauthorized individuals could exploit this access to disable the buses’ systems, potentially locking passengers inside or disrupting public transportation.
Scope of the Concern
Denmark’s public transport company, Movia, operates 469 Chinese-built electric buses, 262 of which are manufactured by Yutong. The discovery in Norway prompted Danish authorities to launch their own investigation into the potential risks and how to mitigate them while still leveraging the benefits of connected vehicle technology.
Yutong’s Response and Data Security
Yutong maintains that it strictly adheres to applicable laws and regulations and stores European vehicle data at an Amazon Web Services (AWS) datacentre in Frankfurt. They emphasize that data is protected by storage encryption and access control measures, stating that access requires customer authorization and that they comply with EU data protection laws.
“The data is protected by storage encryption and access control measures,” a spokesperson added. “No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
Broader Implications for Connected Vehicles
This situation highlights a growing concern surrounding the security of connected vehicles. As more vehicles receive over-the-air (OTA) updates and transmit data, the potential for vulnerabilities and unauthorized access increases. This isn’t limited to buses; even tire manufacturers like Pirelli, which incorporates Chinese stakeholders through Sinochem, are facing scrutiny and potential restrictions.
Government Action and Future Trends
The US Department of Commerce recently finalized a rule prohibiting the sale of connected hardware and software systems from Russia and China, reflecting a broader trend toward government intervention to address national security concerns related to connected technology. This episode underscores the complexities of relying on foreign manufacturers for critical infrastructure, and the need for robust security protocols to safeguard against potential risks as our vehicles become increasingly sophisticated and interconnected.
