by Imagine waiting at a bus stop, checking your watch, and thinking: is the vehicle late, or did someone in another country hit the “off” switch? Welcome to the new era of public transport paranoia, courtesy of Movia in Denmark and its fleet of Chinese-made electric buses.
Denmark’s now sounding the alarm after finding that hundreds of these vehicles could, in theory, be deactivated remotely by their manufacturer Yutong, or anyone with access to the company’s computer systems.
Also: Norway’s Public Buses Have A Chinese Backdoor No One Knew About
It hasn’t happened, but the mere possibility has been enough to unsettle officials who rely on these buses to keep the capital moving.
Naturally this discovery has raised concerns over national security and Danish authorities are currently investigating how to limit unwanted access while still enjoying the useful benefits of having a fleet of connected vehicles.
What Could Possibly Go Wrong?
Denmark only learned of the vulnerability after neighboring Norway’s largest public transport operator, Ruter, uncovered the security flaw in its own fleet of Yutong buses.
It found the Chinese-built buses contained a Romanian SIM card that Yutong says enable the company’s engineers to remote roll out software updates and perform technical troubleshooting operations.
But while Ruter found no evidence of malicious activity, it notes that the same remote access functionality could potentially allow someone from another country to take over the buses’ electronic systems, shutting them down or locking the doors and shutting people inside.
Who Holds The Keys?
Denmark’s public transport company, Movia, says it runs 469 Chinese-built electric buses, 262 of which are from Yutong. But Yutong told The Guardian that it “strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate,” and stores its EU vehicle data at an Amazon Web Services (AWS) datacentre in Frankfurt.
Also: Diplomats Fall For Cheap BMW Ad Giving Russian Hackers Access To Embassy Computers
“The data is protected by storage encryption and access control measures,” a spokesperson added. “No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
Though Yutong and China are under the spotlight on this occasion, the worries over connected vehicles don’t stop there, and are only going to create additional concern as more and more cars are able to accept OTA updates and transmit data.
Earlier this year the US Department of Commerce finalized a rule prohibiting the sale of connected hardware and software systems from Russia and China.
Even tire manufacturers aren’t immune, as Pirelli’s sensor-equipped Cyber Tire technology, partly linked to China through a Sinochem stake, is now facing potential restrictions under the same connected-vehicle scrutiny.
