Danish Authorities In Rush To Close Security Loophole In Chinese Electric Buses (theguardian.com)
- Reference: 0179976450
- News link: https://it.slashdot.org/story/25/11/05/2111221/danish-authorities-in-rush-to-close-security-loophole-in-chinese-electric-buses
- Source link: https://www.theguardian.com/world/2025/nov/05/danish-authorities-in-rush-to-close-security-loophole-in-chinese-electric-buses
> Authorities in Denmark are urgently studying how to close an [1]apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems -- which could be exploited to affect buses while in transit.
>
> Amid concerns over potential security risks, the Norwegian public transport authority Ruter decided to test two electric buses in an isolated environment. Bernt Reitan Jenssen, Ruter's chief executive, said: "The testing revealed risks that we are now taking measures against. National and local authorities have been informed and must assist with additional measures at a national level." Their investigations found that remote deactivation could be prevented by removing the buses' sim cards, but they decided against this because it would also disconnect the bus from other systems.
>
> Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even "more integrated and harder to secure." Movia, Denmark's largest public transport company, has 469 Chinese electric buses in operation -- 262 of which were manufactured by Yutong.
Jeppe Gaard, Movia's chief operating officer, said he was made aware of the loophole last week. "This is not a Chinese bus problem," he said. "It is a problem for all types of vehicles and devices with Chinese electronics built in."
[1] https://www.theguardian.com/world/2025/nov/05/danish-authorities-in-rush-to-close-security-loophole-in-chinese-electric-buses
shutdown now (Score:4, Funny)
ssh [hostname]
shutdown now -h
(just wait until they learn there is a security flaw in most computers that allows them to be remotely deactivated as well)
Re: shutdown now (Score:1)
Yes. This is why .ssh/authorized_keys needs to be carefully managed as part of any security plan.
But I'm just a dumb bus driver. What do I know about the internets? Let the vendor figure it out.
Do the Danish have Smart Home kit ? (Score:1)
Someone had better tell them about Tuya:
https://community.home-assistant.io/t/tuya-security-concerns-in-the-news/363597
It's a global problem (Score:2)
I think the backdoor isn't Chinese in the sense of the government or the country, it's more of a vendor problem globally. Vendors do this to keep control of what they sell, to be able to force customers to buy support subscriptions on pain of having the product stop working if they don't. Vendors from countries other than China do this just as often. We should be worried about what all vendors do, not just Chinese vendors.
Access does at least appear to be encrypted (Score:4, Informative)
> Samsik confirmed that it had been contacted by Movia and said that it was “not aware of any specific cases of deactivation of electric buses”.
> (snip)
> Yutong said it “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate” and that Yutong vehicle terminal data in the EU were stored at an Amazon Web Services (AWS) datacentre in Frankfurt.
> A spokesperson added: “This data is used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs. The data is protected by storage encryption and access control measures. No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
The summary implies that remote deactivation is not that difficult, that does not appear to be the case.
I'm not really familiar with Tesla vehicles, do they have remote deactivation? Does any other car manufacturer have that?
Re: (Score:2)
The statement from the Yutong could be a little weasel worded. The article is talking about remote deactivation, the spokesperson is talking about data-collection. Nothing in the quoted statement addresses remote control. Chinese companies have a history of doing this when responding to this type of thing. 'A' is broken. What are you talking about, 'B' is just fine... nothing to see here! They misdirect or just flat out lie (Anker with their Robovacs being a recent, good example).
Clarification (Score:2)
"remote control" as in turn off the bus... not "drive the bus".