Chinese-made electric buses in Norway discovered to have hidden remote access capabilities

Norwegian public transport operator Ruter has discovered during an internal inspection that a Chinese-made electric bus it operates contains a SIM card that could potentially be used to remotely control the bus, prompting the Norwegian government to reassess the cybersecurity risks of the bus fleet.

Ruter | We have conducted a comprehensive safety test of electric buses
https://ruter.no/en/ruter-with-extensive-security-testing-of-electric-buses

Norway's Public Buses Have A Chinese Backdoor No One Knew About | Carscoops
https://www.carscoops.com/2025/11/norways-public-buses-can-be-shutdown-remotely-from-china/

There are approximately 1,300 electric buses in operation in Norway, of which approximately 850 are provided by the Chinese manufacturer Yutong, with approximately 300 Yutong buses operating in the Norwegian capital, Oslo, alone.

During an internal investigation into a Yutong electric bus, a Romanian SIM card was discovered hidden in the system. Yutong said the SIM card was intended to enable remote software updates and technical troubleshooting. A Yutong spokesperson said data transmitted from the vehicle is encrypted and is only used for vehicle-related maintenance and optimization.

To clarify the cybersecurity risks inherent in electric buses, Ruter conducted an experiment in an isolated mountain area using a Yutong bus and a Dutch VDL bus. The main check items in the experiment included whether the bus camera footage was connected to the Internet, whether bus software updates were externally accessible, and whether the power supply system was accessible via mobile communications.

As a result, the risk was found to be relatively low, as VDL buses did not have the ability to update their software from outside and external access points were limited. Meanwhile, it was confirmed that Yutong buses had a power management system that could be accessed from outside via mobile communications using SIM cards. This means that, in theory, Yutong has the authority to remotely stop or disable buses. However, Ruter stated that there was no evidence that bus camera footage was transmitted over the Internet, and that no 'video surveillance risk' had been confirmed.

In response to the results of the experiment, Ruter stated that it would impose stricter security requirements on future electric bus deployments, develop firewalls to ensure local control and protect against hacking, and cooperate with national and local governments on clear cybersecurity requirements. The Norwegian Ministry of Transport announced that it would begin a review of its cybersecurity standards in response to Ruter's report.

'This comprehensive and independent testing will enable us to ensure that buses are properly protected,' said Bernd Reitan Jensen, CEO of Ruter. 'While our investigation did not find any evidence of malicious activity, but rather concerns, we can now turn these concerns into concrete knowledge that will lead to stricter safety standards.'

At the time of writing, Ruter explains that the electric bus can be operated locally or offline by disconnecting communications or physically removing the SIM card as needed.