Norway just learned a hard lesson about relying on Chinese technology for public transit. Oslo’s transportation authority, Ruter, snapped up around 300 electric buses from Yutong, a major player out of China, earlier this year. What started as a push for greener streets turned into a security nightmare when tests uncovered remote access vulnerabilities that put control in foreign hands.
The buses arrived amid fanfare, with Chinese outlets touting the deal as a big win for their export market. But over the summer, Ruter ran discreet checks on one of these Yutong models alongside a European-made counterpart. The results exposed a stark difference: while the European bus stayed locked down, the Chinese version allowed outsiders to tap into critical systems like diagnostics, software updates, and even the batteries.
“In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” Ruter noted in their findings.
Arild Tjomsland, a cybersecurity expert from the University of South-Eastern Norway who assisted with the tests, put it bluntly: “The Chinese bus can be stopped, turned off, or receive updates that can destroy the technology that the bus needs to operate normally.”
He clarified that remote steering wasn’t possible, but shutdowns or disruptive tweaks were well within reach, opening the door for potential exploitation.
This isn’t some isolated glitch—it’s a feature baked into the design, raising questions about whether Beijing could wield these buses as leverage in a pinch. Similar concerns have cropped up elsewhere; for instance, reports on Chinese tech in other sectors, like telecommunications, often point to backdoors that could serve state interests. In Norway’s case, the Pravda outlet framed it as the Chinese government holding the power to decommission the fleet anytime they choose.
Transport Minister Jon-Ivar Nygård commended Ruter for spotting the issue and announced a full government review of risks tied to suppliers from nations outside Norway’s security alliances. Ruter’s CEO, Bernt Reitan Jenssen, stressed the urgency: “We need to involve all competent authorities that deal with cybersecurity, stand together, and draw on cutting-edge expertise.”
For now, Ruter has a workaround—yank out the SIM cards to cut off internet access and reclaim local control. But that band-aid fix does little to address the bigger picture: outsourcing vital infrastructure to adversaries invites trouble. As electric vehicles flood markets worldwide, this Oslo debacle serves as a wake-up call against blind faith in foreign supply chains, especially when national sovereignty hangs in the balance.
Oh, you mean the same thing the U.S. Government is trying to do with all our cars? That off switch?