11.11.2025
3 min
534
Denmark has launched checks on hundreds of Chinese electric buses after a Norwegian security audit showed the manufacturer can remotely control the vehicles. Officially this access is for diagnostics and software updates, but in a crisis it could turn into a potential “stop” button for public transport in an entire country.
Norwegian operator Ruter discovered that electric buses made by Chinese company Yutong have built-in remote-control functions: the manufacturer can connect to the buses’ systems, push software updates, run diagnostics, and change configuration settings. In theory, this allows the buses to be stopped or disabled without any physical access.
After these findings, Danish public transport company Movia, which operates most of the country’s buses, announced its own review. Its fleet includes 469 Chinese electric buses, 262 of them made by Yutong. According to COO Jeppe Gaard, the issue is not one particular brand, but any vehicle with embedded “smart” electronics and a permanent internet connection.
The Danish Civil Protection and Emergency Management Agency Samsik has not recorded any real cases of remote shutdowns so far. At the same time, it admits that internet-connected subsystems, cameras, microphones and GPS modules may contain vulnerabilities. Through them, attackers – or a powerful supplier – could disrupt bus operations or harvest data about passengers and routes.
The regulator is already advising transport companies about risks tied to buying Chinese e-buses and promises to work with other authorities on cybersecurity and anti-espionage guidelines.
The story started with an audit in Norway: Ruter tested Yutong e-buses in an isolated environment and found that the manufacturer maintained ongoing access to several critical functions. After those results were published, other Nordic countries began asking the same questions.
At the same time, political tensions are growing around Chinese telecom and transport equipment. EU states are increasingly cautious about what systems they put into critical infrastructure, from 5G networks to city buses. The concern is the same: the possibility of remote influence by a vendor – or by the state behind that vendor.
Yutong denies any misuse. The company says it strictly follows local laws and uses data only for maintenance and optimisation, with all vehicle-terminal information stored in the EU, encrypted and “securely protected.” Industry experts agree that remote administration is convenient because it allows repairs without sending engineers on site, but warn that it also opens a new class of risks.
The Chinese e-bus case shows that infrastructure safety is no longer just about brakes and ABS – it’s also about the code in the firmware. Even if remote access is meant for service, in a crisis it can become a lever of pressure or a tool for attack.
For cities and operators this is a clear signal to:
include supplier cyber-risk requirements directly in tenders
demand transparent software architecture and the option to limit external access
regularly audit all connected systems – from buses to charging stations
Otherwise, one day you might discover that the physical keys to your public transport are in the depot, but the logical ones are somewhere far outside your country.
