Norway’s leading public transport operator, Ruter, announced new cybersecurity measures and stricter procurement rules after tests revealed that Chinese-made electric buses could, in theory, be remotely disabled by their manufacturer.
The findings emerged from a series of security tests that showed bus maker Yutong Group retained remote access to software systems in its vehicles, allowing it to conduct over-the-air updates and diagnostics. “In theory, this could be exploited to affect the bus,” Ruter said in a statement released last week.
The company, which operates roughly half of Norway’s public transport network — including services in Oslo and Akershus — said the results prompted it to strengthen security protocols and work closely with national authorities to prevent hacking or data misuse.
The cybersecurity tests were carried out in underground mines, an environment chosen to block external communication signals and ensure complete isolation from outside networks. Engineers examined both newly delivered Yutong electric buses and three-year-old Dutch-made VDL buses for vulnerabilities.
The results showed that while the VDL buses lacked the capability for over-the-air updates, the Yutong buses could be accessed remotely for software maintenance — a feature that, while standard for modern electric vehicles, raised alarms over potential misuse.
Yutong, one of the world’s largest bus manufacturers, has yet to respond to detailed questions from the Associated Press. However, The Guardian reported that the company said it “strictly complies with local laws and regulations” in the countries where it operates.
In a statement cited by the newspaper, a Yutong spokesperson said the data collected from buses is stored in Germany, encrypted, and “used solely for vehicle-related maintenance, optimization and after-sales service.”
According to Yutong’s website, the company has sold tens of thousands of buses across Europe, Africa, Latin America, and the Asia-Pacific region, including over 100 that currently operate in Ruter’s Norwegian fleet.
The Norwegian tests were partly motivated by growing global concerns about digital surveillance and remote access in critical infrastructure, particularly involving foreign technology suppliers.
Ruter’s findings underscore a broader challenge facing transportation systems worldwide: as vehicles become increasingly connected and reliant on over-the-air software, they also become potential targets for cyberattacks or unauthorized control.
“Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems,” Ruter CEO Bernt Reitan Jenssen said.
Similar worries have been raised elsewhere. In the United States, regulators in January launched an investigation into Tesla after reports that vehicles equipped with remote movement technology had been involved in crashes while being summoned by their owners via smartphone apps.
Although Ruter emphasized that Yutong buses are not autonomous, it confirmed that the manufacturer can access “the control system for battery and power supply via the mobile network.” That, in theory, means the buses could be stopped or rendered inoperable remotely.
The issue has reverberated beyond Norway. In Denmark, transport operator Movia said it was reviewing its cybersecurity risk assessments and evaluating how to prevent data misuse, espionage, or the disabling of buses.
While Danish authorities have not reported any such incidents, Movia acknowledged the need to “eliminate vulnerabilities” and strengthen safeguards. It added that findings from the Norwegian study were presented at the InformNorden traffic conference by experts from the University of South-Eastern Norway, who concluded that neither hackers nor suppliers could currently take direct control of a bus.
Movia also cautioned against framing the issue as a problem unique to Chinese manufacturers. “It is important to emphasise that this is not a Chinese bus concern — it is a problem for all types of vehicles and devices with this kind of electronics built in,” the company said in an email response.
In response to the test results, Ruter said it will impose tougher security standards for future bus purchases, develop firewalls to guarantee local control, and ensure that updates from manufacturers are screened before reaching the vehicles.
The company also said it is working with government agencies to establish “clear cybersecurity requirements” for all public transport suppliers in Norway.
To limit vulnerabilities, Ruter plans to delay incoming digital signals, giving its engineers time to inspect any software updates or data exchanges between manufacturer servers and buses.
The company added that onboard cameras are not connected to the internet, ruling out the risk of image or video transmission from buses to external servers.
While Ruter emphasized that the buses cannot currently be driven remotely, it acknowledged the importance of preemptive measures. “This is about ensuring that critical public transport infrastructure remains under Norwegian control,” the company said.
As electric and connected vehicles become increasingly central to Europe’s decarbonization goals, the incident highlights the tension between technological innovation and national security — a dilemma that governments across the continent are now racing to manage.
