European Countries Probing ‘Security Loophole’ in China-Made Electric Buses

Several European countries are investigating whether Chinese-made electric buses could be remotely deactivated, amid growing national security concerns over China-built infrastructure across the continent.

Norway, Denmark, and the United Kingdom are reportedly worried about what they are calling a potential “security loophole†in electric buses made by Chinese manufacturer Yutong. The Zhengzhou-based company is the world’s largest manufacturer of buses by sales volume.

The probes are the latest in a string of moves driven by fears that tech infrastructure made in China could be turned against its operators if relations with Beijing ever sour. Similar concerns led several countries in recent years to restrict the use of equipment from Chinese telecom giants Huawei and ZTE in 5G networks.

The timing of these new bus probes also comes as another European country, the Netherlands, and China spar over control of chipmaker Nexperia—a dispute that, if unresolved, could threaten the global auto supply chain.

Norway was the first to sound the alarm. Ruter, which operates about half of the country’s public transportation network, including in Oslo, said last month that it tested a new bus from Yutong and a three-year-old model from Dutch manufacturer VDL in an underground mine to see if they could be hacked.

The company found that Yutong Group had direct digital access to its vehicles for software updates and diagnostics, while the VDL bus did not provide its manufacturer with the same access.

According to NBC News, the report stated that in theory, the bus could be “stopped or rendered inoperable by the manufacturer.â€

Movia, a public transportation provider in Denmark, soon afterward launched its own investigation but noted that this kind of security risk isn’t unique to China.

“Electric buses, like electric cars, in principle can be remotely deactivated if their software systems have online access,†Movia chief operating officer Jeppe Gaard told NBC News.

He added that this isn’t just a “Chinese bus concern; it is a challenge for all types of vehicles and devices with these kinds of electronics built in.â€

The U.K. is now the latest country to launch a probe into the issue.

“We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities,†the country’s Department for Transport told The Financial Times.

Yutong did not immediately respond to Gizmodo’s request for comment. However, in an emailed statement to NBC News, the company said it “understands and highly values the public’s concerns regarding vehicle safety and data privacy protection,†and that it “strictly complies with applicable laws, regulations, and industry standards.â€

Yutong added that vehicle data is stored in an Amazon Web Services data center, protected by encryption, and cannot be accessed without customer authorization.