Jasper Jolly 

UK transport and cyber-security chiefs investigate Chinese-made buses

Move to assess potential risk of remote meddling by Beijing with Yutong buses follows investigations in Norway and Denmark
  
  

A Yutong bus, owned by Norwegian public transport operator Ruter during a test of the vehicle's communication system in Sandvika, Norway.
A Yutong bus, owned by Norwegian public transport operator Ruter during a test of the vehicle's communication system in Sandvika, Norway. Photograph: Eilif Swensen/AP

The UK is to investigate whether hundreds of Chinese-made buses can be controlled remotely by their manufacturer, amid increasing concerns over Beijing’s involvement in British infrastructure.

The Department for Transport and the National Cyber Security Centre are examining whether buses made by Yutong could be vulnerable to interference.

A spokesperson for the Department for Transport said: “We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities.

“The department takes security issues extremely seriously and works closely with the intelligence community to understand and mitigate potential risks.”

Yutong began as the Zhengzhou Bus Repair Factory in 1963 in the Central China province of Henan. It says it has exported nearly 110,000 buses to more than 100 countries, capturing more than 10% of the global market.

In the UK, its buses are used in Bristol, Essex, Leicester, Nottingham, south Wales and South Yorkshire, among other locations.

However, an investigation in Norway by Oslo’s public transport service, Ruter, found that Yutong buses could theoretically be “stopped or rendered inoperable” by the manufacturer. Denmark also opened an investigation after the Norwegian findings.

Ruter did not say there was any evidence that Yutong had tried to control the buses, and said it would impose “even stricter security requirements in future procurements”. It also said that the buses’ cameras were not connected to the internet, and “there is no risk of image or video transmission from the buses”.

Any evidence that a Chinese manufacturer had interfered with bus or car operations would probably have a devastating impact on vehicle exports, a key industrial aim for China’s government.

Nevertheless, digital security experts have warned for years that over-the-air updates to cars could be a security or privacy threat, either for a hostile state or criminal groups.

Ruter said it had tested two buses from Yutong and Dutch manufacturer VDL in a facility inside a mountain tunnel – a measure that would prevent remote tampering during tests. Yutong’s buses are capable of over-the-air software updates, meaning that the manufacturer has the ability to change software.

Ruter said: “There is access to the control system for battery and power supply via mobile network through a Romanian sim card. In theory, therefore, this bus can be stopped or rendered inoperable by the manufacturer.”

Over-the-air updates are a common feature of modern vehicles, including many mid-range cars made in the UK, US, Europe and China. With slick digital interfaces increasingly becoming one of the most important attractions for buyers, manufacturers and drivers value the ability to access the latest software.

Yutong did not immediately respond to a request for comment. The company previously told the Sunday Times that it “strictly complies with the applicable laws, regulations and industry standards of the locations where its vehicles operate”.

 

Leave a Comment

Required fields are marked *

*

CAPTCHA

*