Norway: Chinese-made electric buses have major security flaw, can be remotely stopped and disabled by their manufacturer in China, Oslo operator says
The public transport operator in Norway’s capital said Tuesday that some electric buses from China have a serious flaw – software that could allow the manufacturer, or nefarious actors, to take control of the vehicle.
Oslo’s transport operator Ruter said they had tested two electric buses this summer – one built by China’s Yutong and the other by Dutch firm VDL.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.
“There is a risk that for example suppliers could take control, but also that other players could break into this value chain and influence the buses.”
Ruter said it was now developing a digital firewall to guard against the issue.
According to other reports, the Chinese manufacturer has access to each bus’s software updates, diagnostics, and battery control systems. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” the company said.
Ruter has reported its findings to Norway’s Ministry of Transport and Communications.
Arild Tjomsland, a special advisor at the University of South-Eastern Norway who helped conduct the tests, said: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”
[…]
You must log in or # to comment.
Don’t forget that the Norwegian phone network can block access to all Chinese sims in case of war, and then only allow connections from known origins. With all the other Chinese electronics and cars they have to implement it anyway.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
I take it ‘SIM card’ in this case does not mean what it means with a cellphone.
It very much does mean the sort that is in a cellphone, connecting to GSM networks. Anytime you hear about a car that has OTA updates, that’s how they’re doing it. That includes electric cars like Tesla, but also ICE cars made by Hyundai, Honda, BMW and others. Manufacturers have been found to be selling information about your driving patterns to insurance companies without the consent of the owner, affecting their premiums.
They can afford too because they are data-only plans, bought in large bulk quantities, with fairly low data caps.
Nowadays most likely some form of eSIM, but yeah, pretty much the same as in a cellphone.
Almost all cars are permanent online nowadays, not only EVs, and the cat’s manufacturer has a detailed profile on it. This has been standard tech for years.
Investigating a modern car and finding a SIM card is as surprising as finding an engine or a break. The odd one out is not the Chinese bus, but the Dutch one, if it really has no SIM card
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
Genuinely sick of this shit. From anyone. I can’t build all my own shit. I don’t need my couch spying on me, thats what my phone is for.
Iveco makes ~50% of European buses. The next biggest is Mercades. Then MAN. They all do this. Weird how people came away from the article thinking this is a Chinese problem though.
Please read the article before commenting.
The article does not mention the biggest bus manufacturers that do exactly the same. It does however recontextualize that lurid headline as remote updates are industry standard.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
And even if you are right, it makes a huge difference whether a European company does that or a malign foreign state-actor. For the same reasone, btw, China has been banning European and other non-Chinese companies from their domestic markets. For example, China’s ban of Nokia and Ericsson from its domestic networks was said to be over national security. Europe must do the same.
Yes, that’s what the article states.
Nonetheless all modern vehicle use computers that need updating. This is not a Chinese problem, it is a well known problem inherent to modern car tech. If the Dutch model’s computer is air gapped, it’s one of a kind.
And I agree, vehicules shouldn’t be connected to the Internet.
europe should just ban internet connected vehicles. entertainment system? fine if it can be easily disabled. anything else? hard no!
If Germany left the EU this might happen. But the BMW state wont ever let regulation of car manufacturers happen. Except maybe if it only targets “foreign” companies.
I don’t think this sort of regulation would require unanimity in the same way certain functions of the EU do.
you mentioned the wrong username, they are from mander
edit: but it also does not matter
That’s the same guy. (But, yes, it doesn’t matter.)
It’s because @Hotznplotzn@lemmy.sdf.org is a full time propaganda account, literally everything they post is either anti-china or anti-russia
.ml
I mean, yeah, but the point is right if you check out the other guy’s post history
Still funny. Hotzenplotz being bit biased is correct, though.
“You’re from bad place” isn’t a particularly strong argument fyi
But it is informative. Not all accounts from .ml are weirdly pro Russia or China, but if an account is weirdly pro Russia or pro China it’s probably from .ml.
No it isn’t, you don’t have an actual counter-argument so you gesture vaguely at a category you consider to be disqualifying
Maybe to people inside .ml it isn’t informative, but to people outside of .ml it really is.
For people outside of .ml it’s like hearing “just look the manager in the eye and give them a handshake. Then you’ll get the job!” This advice just comes off as weird and disconnected till you realize the person is a boomer. Then it clicks and you realize why they have such a bad take.
Like .ml not all boomers have weird takes but if you see a weirdly disconnected take on job hunting knowing the poster is a boomer is informative.
Same with weird pro Russia or pro china takes with .ml.
When people outside of .ml see takes like “Putin is waging a just, defensive, war against Ukraine!” The take is so bad as to be disconnected from reality, then you realize the poster is .ml and it snaps into place. Just like the boomer situation.
Again not all .ml have such bad takes, just like not all boomers have bad takes but when you see such a bad take knowing helps clarify things. It’s informative.
I hope this helps you understand even if you don’t agree.
In that case, it is.
You especially are a joke
Those are all European companies though.
Exactly. If they do anything weird (even by mistake) Norway can sue them into oblivion. Good luck doing that with a Chinese company.
So?
Because people take away what they want to believe.
It’s mind boggling that EU allows communication from/to vehicles and appliances (without opt-in?) and without a hardware switch that disables all communication in first place.
This is from Norway, they don’t have anything to do with the EU.
True, but it applies to EU as well. And the same goes to Norway or other European countries.
We do, through the EEA.
Allows? If I am not mistaken, they force it on new vehicles. Fascist pieces of shit that our EU overlords are.
@raspberriesareyummy@lemmy.world
they force it on new vehicles. Fascist pieces of shit that our EU overlords are.
As the article says:
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
And the point is? Both parties are evil.
Lost redditors?
Bad ragebaiter
I thought so, too. But can’t find any sources on that.
There are mandatory black boxes to record telemetry to reconstruct accidents, but those are not (at least not necessarily) online. Automatic emergency calls are mandatory if an accident is detected. This forces “online tech” into the car but is by no means what is discussed here. Factually I guess most european cars are “always online” but it’s their own choice.
See my reply to the other comment. The moment there is no hardware kill-switch for it, you can be sure the fuckers will track our every step. Eventually they’ll probably sell the data to insurers or worse…
They’re already doing it in USA, so I won’t be surprised if EU is.
I wouldn’t be surprised and I’m curious, do you have any reference to EU forcing communications?
https://www.everythingrf.com/community/what-is-ng-ecall
NG eCall support will be mandatory across the EU for all new vehicles from January 1, 2026, as the automotive industry and PSAPs have until January 2026 to support NG-eCall. From 2027 manufacturers will be unable to sell vehicles that are incompatible with NG-eCall.
I hate these totalitarian pieces of garbage so much…
For clarification: this will mean sim cards in each vehicle with full GPS tracking data of us being available 24/7 to the fascist overlords.
fascist overlords.
You keep saying that word. I don’t think you know what it means.
Well, that cites the standards, but only asserts that all vehicles must comply. Can anyone say which law requires it?
In other words, CitationRequired still.
You seem to do selective reading…
Go on, then. What law or link to EUR-LEX did I miss?
I had a Ford (complete POS) that could only get software upgrades by USB stick, files downloaded.
Don’t be a cheap cunt. Buy European.
Dont forget those polish trains, this is not simply a china vs west situation, this ridiculously wide spread. Lawmakers should have been all over this years ago!
Doesn’t matter, this kind of enshittification is universal to the automotive world.
It does matter, if there is ever a conflict between China and the EU, China can completely disable our infrastructure without firing a shot.
It would have the same effect as a nuke on all cities.It would have the same effect as a nuke on all cities.
Yeah, just like the other day when there was a problem with the overhead line which stopped all the trams and gave me radiation poisoning.
I’m not talking about buses only.
Let’s be real for a sec, the only thing that can turn a couple square miles of city into glass is a nuke. There is no alternative.
Obviously, but turning off all electronics in a city will have an immense impact.
I’m more concerned our own governments will do that, if we ever decide complacency isn’t serving us.
It would have the same effect as a nuke on all cities.
that’s how you invalidate all other things you said
Guess where many European manufacturers do have a lot of their components made, because it’s cheaper? If China wants to disable much more than just European infrastructure, they can simply do this by enacting an embargo.
In a conflict with China, we’re royally fucked in one way or another. Thanks to boundless corporate greed and political complicity.
The real problem here is over the air updates in a piece of infrastructure, even more so in a machine where a malfunction can endanger lives.
What if you simply didn’t go to war with your biggest trading partner?
What if you diversify trade to neutralize the bully?
We did that by trading with China instead of with the bully (USA). The EU fundamentally cannot manufacture most of the stuff it consumes because neoliberal policy doesnt allow for that. If you want to go to self-made stuff, you’d have to become the eastern block politically. Which I advocate for.
What does “become the eastern block politically” mean in this context?
How about our policy were not to become enemies of thr largest manufacturing hub and rising world power with 3 times our population?
If a policy to remain independent means becoming the enemy of someone, it’s not the policy that’s the problem.
How are we China’s enemy? We’re the ones suddenly trying to nationalize companies like Nexperia. When did China do something like this? Obeying leader Trump in 5% military expenditure isn’t exactly being independent either.
@Socialism_Everyday@reddthat.com
When did China do something like this?
What an absurdly flawed argument. China never did something like that simply because a foreign company is legally banned from owning its own Chinese subsidiary in the first place. You always need a Chinese partner that would then own the majority of “your” company.
I’m answering to the comment about “becoming their enemy by being independent”. I’m asking for evidence of China choosing Europe as its enemy, as I genuinely haven’t seen such hostile acts unless in retaliation from Europe choosing to suddenly become China’s enemy.
Hi! Person with knowledge of doing business in China as a “western company”. You start up your company and hire Chinese engineers. After a while many of them will quit and instead work for a newly created company across the street that do the exact same thing as you do (soon to be “did”).
Huh, I thought we loved free market competition in Europe. If you can’t keep your workers or compete against another firm, by market logic your business isn’t efficient and shouldn’t exist.
Hi! Person with knowledge of doing business in China as a “western company”. You start up your company and hire Chinese engineers. After a while many of them will quit and instead work for a newly created company across the street that do the exact same thing as you do (soon to be “did”).
As someone who has also experience of doing business in China as a “Western company”: Yes, that’s exactly the way it is.
Bill Gates and Apple. Both are shit business models, but this isn’t a “Chinese specific” thing.
We’re the ones suddenly trying to nationalize companies like Nexperia. When did China do something like this?
You do realise that China defined ‘restricted’ industrial sectors where foreigners at most can form a joint venture with a Chinese company which must own more than the foreign one? We granted far more liberties to the Chinese than the other way round.
That still doesn’t respond to my initial question of when China has designated Europe as its enemy, which is why I brought up the particular event of escalation of economic warfare that Europe decided to engage in this very week.
In related news about a robot vacuum cleaner: https://infosec.exchange/@masek/115452385066637223
From the OP post:
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
The Dutch model is obviously inferior /s
Where internet? Where AI?
At least most motorcycles are safe, as long as you stay away from like BMW and Harley
BMW be like:
Sorry, your subscription to the following feature has expired: Brakes.
Still not as bad as having to register a new subscription each time you want to use a blinker.
So that’s why Beamer drivers don’t use blinkers!
It’s less about that. Buy things you actually own, independent of the supplier. Sure, I’d rather have a European supplier to control my stuff than Chinese one, it’s not even a competition, but come on.
All modern cars can be taken control over by manufacturer or law enforcement. Same as most phones and computers.
As the article points out, the competing VDL bus did not have that.
I looked up 4 european bus manufacters at random and whether they use OTA updates. They all did. It seems like the VDL bus is unusual, if it does infact not use OTA updates as the article says.
Yeah, that isn’t surprising, but I’m really glad it’s making headlings because IoT vehicles are a liability.
Also, really nice that you made the effort to check it yourself.
I’m really glad it’s making headlines
Bad news, that’s not what’s making headlines. This isn’t an article about smart devices introducing unnecessary attack surfaces, this is an article about the perfidious Chinese sneakily putting spyware into your buses. Hence why there’s a million articles about this one Chinese bus and none about the other 98% of buses in Europe and they call for boycotts of Chinese buses instead of banning OTA updates on buses.
I do still think it’s better than nothing for awareness. It’s not a massive leap to go from “chinese remotely brickable bus bad” to “any remotely brickable bus bad”.
Simply false.
should we just accept that?
You have accepted that, hence why the anger is directed at China and not the 90% of so of buses in Europe who do the same thing. The solution presented isn’t “pass legislation that bans OTA updates on public infrastructure”, it’s “don’t buy Chinese”
No I know, this problem is far creater than just china, even if that can be argued to add one extra layer.
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
They’re not allowed. These kinds of things must be placed to the open market and the best offer must be accepted
There’s an even bigger issue with these busses.
They were never made for the cold of Norway, and the electric heating couldn’t keep them warm even in the relative mild winters that Oslo has. To fix this they installed auxiliary diesel heaters. These diesel heaters use more diesel(see edit) to keep the busses warm than the previous generation of diesel hybrid busses used to both fuel the engine, and keep the busses warm.
So the new EV busses that were supposed to lower local pollution ended up costing more and polluting more.
Edit: these heaters haven’t actually been tested in a winter scenario, and the “diesel consumption exceeds the previous busses” claim is based on just looking at the spec sheet for the diesel heaters to be fitted. And it’s compared to the previous plug-in hybrid busses which obviously had a lot of their fuel consumption covered by being plug-in
<citation needed>
Here’s an article that mentions the fitting of the diesel heaters: https://www.nrk.no/stor-oslo/slik-skal-ruter-og-unibuss-unnga-nytt-busskaos-i-vinter-1.17036833
Now technically they could heat them to a comfortable temperature with only the resistive heating, but they would not have the battery capacity to get through the minimum required range to serve their routes.
The stuff about the diesel heaters exceeding the consumption of the previous busses seems to be based on preliminary data from the specs of the heaters, and not actual real life data as they didn’t have time to fit the heaters before the previous winter hit. And the only stuff I can find about it is pay walled. I will add an edit to my original comment for this.
Even “if” this is true. This will only be needed during the coldest of winter months. So for the rest of the year they will be far more efficient.
This sounds like FUD.
Plus a bus should not use resistive heating but instead have a heat pump. If it doesnt have a heat pump then that is a bad purchase.
The busses they replaced were plug-in hybrid busses that mostly ran on battery power already, they were already super efficient.
They did indeed fuck up and not buy them with heat pumps. They were going to retrofit heatpumps but it turned out to be too expensive so they went with diesel heaters.
They literally did not include any sort of minimum requirements for heating in the bidding process. It was a huge fuck up that has been covered lots in the media here.
To fix this they installed auxiliary diesel heaters.
why? to be dicks?
No, to get the enough heat in the winter so that people aren’t freezing on the bus?
why not use any other form of heating possible?
Because resistive heating took too much energy and made the buses not have enough range, and heat pumps were deemed too expensive.
This all could’ve been avoided if they just included heating as part of the original bidding process, the heat pumps would’ve been cheaper than the diesel heaters if included in the original spec.
It’s buses, not busses.
It’s a habit since is buss in Norwegian. I will keep doing it and blame the English language for being incorrect.
Edit: I googled it and technically busses isn’t incorrect, but buses is preferred. Merriam-webster used to list busses as the preferred form up until 1961 actually.
The English language is so often incorrect
More often than not, one might argue.
So, just like any vehicle that downloads software updates from its manufacturer?
If they do that, the manufacturer can add whatever they like to specific vehicles, including kill switches.
Read the post:
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
That’s really interesting take I wonder if the actual article says anything about that, should we maybe check it out
You forgot the /s tag
b…but…but china good!
Did they find an actual vulnerability or are they calling remote software updates and sending diagnostic data back to the manufacturer a vulnerability?
There’s no good reason to connect a bus to the internet, just do software updates when it gets maintained. There’s plenty of devices on Shodan.io that had no known vulnerabilities when they were new but are huge security risks now, from routers to printers to webcams.
Even if software updates come during maintenance, the same problem persists. The manufacturer can brick the damn thing via an update. The bricking just can’t that easily happen at any arbitrary moment.
If it’s truly offline, there is also less attack surface for non manufacturer approved malicious actors.
Every software has bugs. Every device that runs software and can be accessed remotely does have vulnerabilities. The problem is that we as a society think that it’s a good idea to have every toaster and every bus connected to the internet. Welcome to the internet of shit.
You can revert it to a older version though.
With most cars you flash the ECU with software using a diagnostic tool, if you don’t like the new version you can just flash a older version on there.
Or in many cases modify it and flash your custom version.
You don’t have that control if it’s all Internet dependant, and there’s no kill switch.
You can revert it to a older version though.
if the maker allows it. try that with your smartphone and it will irreversibly turn into an expensive brick. look up android rollback protection
Unless you can (and actually do) audit the entire software, you can’t know whether there isn’t any kill switch in it. Even if it’s just a simple timer that will break shit once the warranty has expired. Or something that reacts to a seemingly innocuous external trigger.
And we can never make cars 100% safe. That doesn’t mean we shouldn’t care about seat-belts, airbags, ABS and crumple zones.
Just because we can’t make the danger zero, doesn’t mean we shouldn’t do the bare minimum to mitigate the danger.
The Internet connection aspect can be made zero. Cars don’t really need computers.
Yes, and bare minimum is a good keyword, because sometimes, less is more. Especially when it comes to the amounts of software and connectivity. Complexity causes problems.
I am old enough to have ridden on buses that did run exactly zero software. And you know what? Those things would just keep on working for decades, despite rolling all day long every day every week all year round.
Exactly, we don’t need software updates on busses and especially don’t need them connected to the internet.
The typical question to downplay the issue.
Your account exists solely to play the issue up as far as you can get it to go, you’re a racist propagandist and you’re mad that people are correctly identifying you as such
Trying to understand the actual issue instead of just accepting the deceptive narrative the headline promotes is not downplaying the issue.
But “electric bus receives remote updates” fails to generate clicks or xenophobia.
You just don’t like it when someone doesn’t instantly accept whatever hostile evidence you’ve dredged up to support the agenda you constantly push.
Read the post:
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
The first European manufacturer of buses I can think of, Daimler also does it, this is an extremely common practice. It literally is only making the news to stoke sinophobia.
Why are you @ing my old account? I stopped using it after I traveled through China and found they blocked HB.
It doesn’t help if you ignore what others have written. Again, read the post:
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
The Chinese model had that, the Dutch model didn’t. It is apparently not “extremely common practice” as the Dutch model didn’t have that vulnerability.
Your statement is simply false. And this is not sinophobia but a simple fact.
It is so common the first 4 euro bus manufacturers I can think of all do it. There are no articles about MAN buses being vulnerable, nor Volvo, nor mercades. The fact that you didn’t look any of this up betrays that you don’t care about buses using OTA updates or whatever, only its utility as hostile evidence.
The whole account is russo-sino phobic so…
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
Everything you needed to know was openly stated in the article. But you love riding that imaginary tall horse of yours.
Most people read vulnerability and assume an exploit was found, not that the bus uses an extremely common practice that applies to like 99% of EVs and 80% of modern ICE cars, but not these Dutch buses, apparently. Hell even some ICE motorcycles get remote updates.
For a public infrastructure, unattended remote updates are a vulnerability. This is clearly and openly explained in the article.
Especially for countries where vast majority of workforce commutes using said infrastructure. A single uncontrolled update could cripple not just transportation, but every other public service.
unattended remote updates are a vulnerability
Whose fault is it if unattended?
The Chinese model featured a SIM card that allowed the manufacturer to remotely install software updates that made it vulnerable, whereas the Dutch model did not.
“We’ve found that everything that is connected poses a risk – and that includes buses,” Ruter director Bernt Reitan Jenssen told public broadcaster NRK.
Yes. Also “spacewars.com”? This is a dogshit flamin garbage blog.
This guy’s whole post history is… something
In other news: There are trees in the forest.
trees are supposed to be there, this is not. While this is very expected, anything we can do to avoid normalizing it would be great.
This stuff is normal in China. It‘s just reality. Don‘t buy Chinese EVs if you want secure infrastructure. Even when they don‘t have bad intentions (at the moment) they can interrupt or even break things accidentally. Many people who own a Bambu 3D printer know what I mean. You just don‘t own these things when you buy them.
Other than China anyone with the knowledge could theoretically hacks the system and make bank on a ransom
that advice is worth shit when public transport is replaced with that, and when those vehicles will be on the same roads as normal offline vehicles
What offline vehicles? The ones from the 70s or 80s where parts are gotten from scrap yards or not at all?
I don’t know how did you get that number. i mean like those from before 2010, probably even 2015.
the problem is not computerized cars. who the fuck cares. there was a long period of computerized cars without any kind of internet connectivity.
I think I put it clearly 2 comments ago.
Equating a car to a 3d printer is certainly a take.
It‘s referencing an incident where Bambu printers suddenly stopped the current print job globally due to an issue, proving that Bambu can indeed remote control their hardware.
People like you make it worse. It’s clearly stated that they have an alternative, the VDL model does not have the same vulnerability. This is a good thing, and bringing publicity to the issue raises awareness about it for other people. You handwaving and normalising it just makes it more socially acceptable when it shouldn’t be.
How do I make it worse? Please explain. I think I was clearly in favor of this alternative when I wrote that comment. I don‘t understand where that „normalizing“ is coming from. It is normal for Chinese products to behave this way. We know this in part because of tests like this one. I don‘t think I implied that‘s a bad thing at all, but the results should be hardly surprising to anyone at this point.
I see. Your initial comment was short, and gave the impression you were referring to the state of things in general, not the Chinese products in particular. Hence why it comes across as ‘normalising’. It’s clear now that’s not what you meant, but it wasn’t before.
On a side note, it’s not Chinese-specific behaviour. If anything, American companies tend to be the biggest offenders of the enshittification process. Though TBF, there are bad actors from every country.
