The United Kingdom has launched a security investigation into hundreds of Chinese-made electric buses operating on its roads, amid fears that the vehicles could be remotely brought to a standstill. This move follows similar probes initiated by European nations Norway and Denmark, creating a growing international concern over the cybersecurity of critical public transport infrastructure.
The UK Investigation and Chinese Bus Manufacturer
According to a report by the Financial Times, officials at the UK's Department for Transport (DfT) are working closely with the National Cyber Security Centre (NCSC). The focus of their probe is Yutong, the world's largest bus manufacturer, which is based in Zhengzhou, China. The investigation aims to determine whether the company has the ability to access the control systems of its vehicles in the UK for purposes like software updates and diagnostics.
The trigger for this inquiry was a Norwegian investigation that uncovered Yutong buses could potentially be "stopped or rendered inoperable" remotely by the company. Denmark's largest public transport company, Movia, has also opened a similar review. In the UK, Yutong has supplied roughly 700 electric buses, and the company is actively seeking to expand its presence with a newly developed double-decker electric model designed to meet Transport for London (TfL) standards.
Official Responses and Security Concerns
A DfT spokesperson confirmed the ongoing efforts, stating, "We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities." In a reassuring note for London commuters, TfL confirmed that none of its operators currently use Yutong buses, nor have any been ordered. The agency emphasised that any new buses must meet its "robust technical requirements, including rigorous testing."
Yutong, in a statement to The Sunday Times, defended its practices. The company asserted that it "strictly complies with the applicable laws, regulations and industry standards of the locations where its vehicles operate." It clarified that its data collection is limited to "vehicle-related maintenance, optimisation, and improvement," with all data being encrypted and access-controlled. Yutong strongly denied any unauthorized access, stating that no one can view the data without customer authorisation and that it fully complies with EU data protection laws.
Broader Implications and Political Scrutiny
The specific findings from Norway shed more light on the potential risk. The Norwegian transport operator Ruter revealed that its testing found Yutong retained remote access to the bus's battery and power management systems. This was a capability not found in a comparable vehicle from Dutch manufacturer VDL. Ruter concluded that, in theory, this access could allow Yutong to disable the bus, though the risk could be mitigated by physically removing its SIM card to sever connectivity.
It is important to note that the issue of remote access is not exclusive to Chinese manufacturers. As Movia in Denmark pointed out, many electric vehicles from Western companies also allow for remote software updates. However, the UK probe occurs against a backdrop of heightened political scrutiny of China's role in British infrastructure. British lawmakers are actively debating whether Beijing should be formally classified as an "enemy" or a "threat," reflecting growing anxieties over national cybersecurity vulnerabilities.
