Why a bus test in Norway set off alarms in Denmark
Denmark is racing to secure its public bus network after controlled tests in Norway showed that Chinese manufactured electric buses include remote connectivity that could be used to switch vehicles off while in service. The connectivity exists for legitimate reasons, primarily software updates and diagnostics. Security reviewers say the same channel, if misused, might interrupt operations. Danish agencies and operators are now scrutinizing hundreds of buses in daily use, including 262 Yutong vehicles run by Movia in and around Copenhagen, to make sure no unmanaged remote controls can affect service.
Norway’s public transport operator, Ruter, ran tests on two Yutong buses in an isolated environment. Engineers confirmed the manufacturer could connect to systems that support updates, diagnostics, and energy management. Investigators found that pulling the SIM cards blocked outside contact. That step also cut important services such as live arrival information, remote fault detection, and predictive maintenance. Ruter has notified national and local authorities and is preparing stricter security requirements for future procurements.
Yutong rejects the idea that a supplier could steer, brake, or accelerate a bus from afar. The company says the data link exists for maintenance and that European data are stored in an Amazon Web Services facility in Frankfurt, protected by encryption and access controls. There are no recorded cases of a bus being shut down remotely in Norway or in Denmark. Even so, operators view any uncontrolled access path to critical equipment as an unacceptable risk.
What did Norway find during its bus tests
Ruter said its teams discovered embedded SIM and storage modules that enabled a secure mobile connection between buses and external servers. The link supported remote diagnostics and software updates. Engineers concluded that a malicious user, or a vendor account that had been compromised, might be able to interrupt the power supply or other functions that keep a bus moving. The test did not show remote steering or braking. It did highlight the possibility of stopping a bus by cutting traction or power.
The operator also examined buses from a European manufacturer of similar age. Those vehicles did not use remote update functions, which reduced the attack surface but also limited flexibility and maintenance efficiency. The contrast, together with the Yutong findings, convinced Norwegian officials that clearer procurement requirements are needed for any brand that relies on connected services.
The SIM card fix and its trade offs
Removing SIM cards cuts the remote link at once, but it also disables tools that many transit agencies depend on. Real time arrival boards and mobile app predictions rely on vehicle connectivity. So do remote diagnostics and software maintenance planning. A permanent disconnect would slow service recovery when faults occur and could raise costs, because technicians lose detailed telemetry and early warnings. Operators are weighing targeted protections that keep essential data flows while blocking any vendor access that is not explicitly authorized and supervised.
Were buses actually taken over
Officials say there have been no cases of live remote manipulation of buses. Yutong states that safety critical functions such as steering, propulsion, and braking do not accept commands from external networks. Ruter’s tests, and clarifications from experts, point to a narrower risk. Buses could be rendered inoperable if power or battery management were altered through a connected channel. That kind of disruption would be serious for operations even if drivers retain full command of the vehicle while it is in motion.
Ruter’s chief executive, Bernt Reitan Jenssen, said the likelihood of attempted interference remains low, yet he urged action to reduce exposure.
“We must take the risk seriously.”
How Denmark is responding
The Danish Agency for Civil Protection and Emergency Management says it is not aware of any confirmed cases of remote deactivation in Denmark. The agency warns that internet connected subsystems and sensors could be exploited to disrupt service if security controls are weak. It is monitoring developments and assessing whether current guidance is adequate, and it is ready to advise operators on prevention and response.
Movia, Denmark’s largest public transport company, runs 469 Chinese built electric buses across Zealand, of which 262 are Yutong. Movia’s chief operating officer, Jeppe Gaard, has acknowledged that connected vehicles can be exposed to remote interference when software systems sit on open networks. He noted that the concern affects a wide range of connected vehicles and devices. It is not limited to Chinese buses. Movia plans to tighten cybersecurity requirements in new tenders and is evaluating safeguards for its current fleet.
Political voices and civil society groups want national standards that treat public transport as critical infrastructure. They argue that heavy reliance on foreign vendors weakens resilience during a crisis. Lawmakers are exploring options such as uniform tender criteria, supplier risk screening, data residency rules, and limits on unmanaged remote access. Any changes would need to follow Danish and European Union procurement law while giving operators practical tools to keep service running.
What Yutong says about access and data
Yutong says remote control of safety critical functions is not possible on its buses. The company states the main control unit is separated from steering, propulsion, and braking systems. The data connection supports diagnostics, performance monitoring, and comfort functions, such as cabin preconditioning. Updates require explicit operator approval. The firm also says data within the European Union are stored in Frankfurt and are protected through encryption and strict access control. Ruter has explained that its findings describe a theoretical risk and that there have been no safety related cases.
The technical risk explained
Modern buses carry a telematics unit connected to cellular networks. That unit communicates with a cloud platform to deliver status data and to receive software packages or configuration changes. Inside the vehicle, a controller area network links subsystems for propulsion, batteries, doors, heating, and driver displays. Good design places safety critical loops on separate lines with strong isolation. In practice, there are interfaces between networks so support teams can diagnose faults and apply fixes. The same interfaces are attractive to attackers if identity checks or access rules are weak.
The credible risk is not a Hollywood style remote hijack. The top concern is a remote command that disables propulsion or power, or a software update that corrupts a component and leaves a bus unable to move. If hundreds of vehicles share the same configuration and supplier account, a single breach could cause widespread disruption even without touching steering or brakes. Agencies want proof that remote channels are disabled by default, that role based access is enforced, and that operators can shut off external connections instantly if they suspect misuse.
What could be affected in practice
- Traction power enable and inverter start conditions
- Battery management settings, including charge and discharge limits
- Charging control logic and schedules
- Low voltage power distribution that feeds control units and sensors
- Cabin systems such as heating, ventilation, and lighting
Security teams focus on hardening these pathways while preserving the data they need for safe and efficient operations. The goal is to keep remote diagnostics and non critical updates, with robust controls that stop any remote action which could immobilize a vehicle without local approval.
What new rules could look like
Transport companies, regulators, and suppliers are drawing up safeguards that fit connected fleets. The measures aim to keep the benefits of telemetry and remote support while closing any unmanaged path into the drive system. Contract language, certification, and technical controls will need to align so that operators have final say over what enters a bus network and when.
- Local control of connectivity, with the ability to disable vendor access instantly
- Update gating, where firmware and configuration changes are reviewed and signed before installation
- Strict separation between diagnostics and safety critical networks
- Role based access and multi factor authentication for all remote sessions
- Immutable logging and independent audits of remote connections
- Clear data residency rules and encryption standards
- Supplier risk screening in tenders, including secure development practices and incident response capability
- Third party penetration tests and certification for connected vehicle platforms
What this means for riders and cities
Passengers should expect no immediate changes to service. The buses are driven by humans and cannot be operated from outside the vehicle. Operators say cameras in these buses are not connected to the internet, so there is no live image transfer risk. If an operator removes SIM cards to isolate vehicles, real time arrival predictions, fleet dashboards, and remote diagnostics will degrade. Agencies therefore prefer layered controls that keep service information flowing while preventing unauthorized commands.
Cities face a trade off between the convenience of remote maintenance and the certainty that comes with tighter local control. Cutting connectivity can reduce risk but also hurts reliability and increases costs. A balanced approach uses strong governance, transparency, and verifiable technical controls so operators keep the advantages of connected fleets without exposing the powertrain to outside interference.
Key Points
- Denmark is auditing hundreds of Chinese built electric buses after Norwegian tests showed a remote access channel on Yutong vehicles.
- Ruter’s isolated tests found that removing SIM cards blocks remote access but also disables live information and diagnostics.
- Yutong denies any ability to control steering, propulsion, or braking, and says EU data are stored in Frankfurt with encryption and access controls.
- The Danish civil protection agency reports no known deactivation cases, but warns that connected subsystems could be exploited without strong controls.
- Movia operates 469 Chinese electric buses, including 262 Yutong, and plans stricter cybersecurity requirements in future tenders.
- The core risk is remote disruption of power or battery management, which could immobilize buses even if drivers retain steering and brakes.
- Proposed mitigations include local kill switches for connectivity, update gating, network separation, multi factor access, and independent audits.
- Operators aim to protect service quality while closing unmanaged remote access, rather than disabling connectivity across the fleet.
