OSLO—In a revelation that has sent shockwaves through Europe’s public transportation sector, Norwegian authorities have uncovered hidden remote-access capabilities in electric buses manufactured by Chinese company Yutong. These features, including concealed SIM cards and software backdoors, allow for potential remote shutdowns from abroad, prompting an urgent review of cybersecurity protocols in critical infrastructure.

The discovery came during routine security tests conducted by Ruter, Oslo’s public transport operator, on a fleet of newly acquired Yutong buses. According to reports, the buses contain embedded systems that enable remote diagnostics, software updates, and even control over battery and power systems—capabilities that could theoretically halt operations from thousands of miles away in China.

This incident highlights growing concerns over supply chain vulnerabilities in the era of connected vehicles, where electric buses represent a key component of sustainable urban mobility. Industry experts warn that such hidden features could be exploited not just by manufacturers but by malicious actors, raising alarms about national security in an increasingly digitized transport landscape.

Unveiling the Vulnerability

Details emerged from a security audit initiated after Ruter tested the buses’ connectivity features. As reported by Scandasia, hidden remote-access SIM cards were found, allowing unauthorized external control. “We have identified risks related to remote access that could potentially affect the operation of the buses,” a Ruter spokesperson stated in the article.

Further investigations, covered by Carscoops, revealed an SD card in the buses that grants the manufacturer remote access. This includes the ability to disable vehicles remotely, a feature not disclosed in procurement contracts. The Norwegian transport minister has since launched a full probe, emphasizing the need for transparency in international supply chains.

Posts on X (formerly Twitter) from users like PeterSweden amplified public awareness, noting that over 1,200 such buses have been ordered for environmental reasons, only to reveal these cybersecurity flaws. One post highlighted: “They can remotely send diagnostics, do software updates and cut the battery power.”

Broader Implications for Transport Security

Norway’s case is not isolated. Similar concerns have surfaced in other sectors, but this marks a significant escalation in public transport. According to Cybernews, the remote control extends to the buses’ diagnostics module and battery systems, potentially allowing for mass disruptions.

The Norwegian government, as detailed in a report by Anadolu Ajansı, is now reviewing cybersecurity risks across all public transport assets. “Manufacturer access allows buses to be stopped from China,” Ruter confirmed, prompting immediate action to mitigate threats.

Industry insiders point to this as a wake-up call for Europe. A recent article in Focus on Travel News noted that Norway is investigating these buses after finding they can be remotely accessed, raising broader concerns about foreign-made critical infrastructure.

Technical Breakdown of the Backdoor

At the heart of the issue are embedded IoT (Internet of Things) components in Yutong’s electric buses. Security experts, as quoted in Sustainable Bus, describe how these systems include SIM cards for over-the-air updates, but with insufficient safeguards against unauthorized access.

Latest updates from Gigadgets indicate that hundreds of these buses could be vulnerable to remote shutdowns, reshaping European transit cybersecurity standards. “A recent security review found that hundreds of Chinese-made electric buses in Norway could be remotely disabled from abroad,” the publication reported just hours ago.

Norwegian officials are collaborating with cybersecurity firms to patch these vulnerabilities. As per Business Standard, Ruter plans to introduce stricter security requirements and anti-hacking measures following the tests.

Geopolitical Tensions and Supply Chain Risks

The scandal has fueled debates on dependency on Chinese technology. Historical context from X posts, such as those referencing past cyber attacks on Norway’s parliament attributed to China in 2021 by Reuters, underscores ongoing tensions.

Analysts from The Republic News highlight how this fits into a pattern of concerns over Chinese state-owned entities in critical infrastructure. “The manufacturer could remotely turn them off,” echoed in multiple reports, pointing to potential espionage or sabotage risks.

In response, Norway is tightening procurement policies. A post on X by Luke de Pulford noted the transport minister’s investigation into SIMs enabling remote control, reflecting broader European scrutiny of Chinese tech imports.

Industry Responses and Future Safeguards

Bus manufacturers worldwide are watching closely. Yutong has not publicly responded to the allegations, but experts suggest this could lead to mandatory cybersecurity certifications for imported vehicles. South China Morning Post reported: “The manufacturer has access to the vehicles’ control systems, which could in theory be used to turn them off.”

European regulators may follow Norway’s lead, with calls for diversified supply chains. As detailed in WJTV, Ruter is stepping up anti-hacking measures to prevent remote halts.

X sentiment, including posts from Matthijs Pontier warning about remote shutdowns, indicates public outrage and calls for accountability. This event could accelerate the adoption of blockchain or AI-driven security in transport IoT.

Economic and Environmental Trade-offs

Norway’s push for electric buses was driven by climate goals, with over 1,200 units ordered for sustainability. However, as Risky Bulletin notes, this has led to unexpected cybersecurity trade-offs, including risks to students and infrastructure.

The cost of retrofitting or replacing vulnerable buses could run into millions, straining public budgets. Industry insiders argue for balancing green initiatives with security, potentially favoring European manufacturers like Volvo or MAN in future tenders.

Looking ahead, this scandal may influence global standards. Posts on X from Hacker News accounts discuss the need for international protocols to prevent such hidden features, emphasizing transparency in connected vehicle tech.

Lessons for Global Infrastructure

As nations digitize transport, Norway’s experience serves as a cautionary tale. Experts recommend third-party audits and open-source components to mitigate risks. The incident echoes past concerns, like those in Andy Lee’s X threads about Chinese servers handling Norwegian data in 2022.

Governments are urged to prioritize cybersecurity in procurement. With electric vehicles proliferating, ensuring supply chain integrity is paramount to prevent disruptions in critical sectors like public transport.

Norway’s proactive response—enhancing controls and reviews—could set a precedent, fostering a more secure future for connected infrastructure worldwide.