A Chinese bus maker was accused of using ‘kill switches’. Now it wants to conquer London

About three months ago, the Norwegian authority that runs Oslo’s public transport network secretly took two buses for a test spin just outside the capital city.

One of them was made by Dutch manufacturer VDL, while the other was made by Chinese company Yutong.

Ruter, Oslo’s transport network operator, took each to an underground mine where they were isolated from all outside signals, and put them through a series of tests.

What the company discovered was startling. The Chinese bus contained software that allowed it to be “stopped or rendered inoperable” by its manufacturer remotely.

“In theory, this could be exploited to affect the bus,” a statement published this month by Ruter said.

No such vulnerability was found in the VDL bus, which was older, the company added.

The electric Yutong bus was brand new and used “over the air” systems, giving its Chinese maker remote access to the bus and its onboard computers for diagnostics and software updates.

To do this, the bus was fitted with a small device containing a SIM card – which is also connected to the battery and power supply control systems.

There is no suggestion of wrongdoing by Yutong and experts say such methods are increasingly common in the automotive industry, including among major Western brands such as Tesla, Ford and BMW.

Yet the discovery of a potential “kill switch” in the Chinese vehicles has nevertheless raised fresh concerns about cyber security at a time when tensions between Beijing and the US and Europe are ratcheting up.

For Britain, Yutong’s ability to stop a bus dead in its tracks is alarming because of its growing presence on UK roads – including possible plans to launch on the highly congested streets of London.

With Chinese companies under the thumb of the country’s ruling communist government at home, the fear is that – in the wrong hands – this seemingly innocuous feature could be exploited in future.

Similar concerns have emerged over Chinese-made electric cars, as well as wind turbines and solar panels.

A recent report by the Royal United Services Institute, a military think tank, warned that Britain risked “hardwiring” vulnerabilities into its future infrastructure by relying too heavily on Chinese tech.

Ruter, which operates 300 Yutong buses in Oslo, has since removed all SIM cards from its vehicles and says it is “developing firewalls” and putting in place “stricter security requirements in future procurements”.

Ståle Ulriksen, a security expert at the Royal Norwegian Naval Academy, expressed dismay at the country’s “naive politicians”, who had been warned repeatedly of such risks.

“I cannot comprehend and understand that politicians refuse to listen to the security authorities’ repeated annual warning,” he told NRK, Norway’s public broadcaster.

But Norwegian politicians aren’t the only ones with questions to answer.

Yutong is the world’s biggest manufacturer of buses and has supplied them to transport authorities around the world – including in Britain, where many hundreds are in operation.

For example, they are used by private coach operators Flixbus and McGill’s, as well as major public transport operators Stagecoach and FirstBus.

Electric models made by Yutong are also operated in several Scottish cities and towns – including Glasgow, where they were used to ferry delegates to and from the COP26 climate conference four years ago.

Stagecoach ordered 158 single-deck, electric buses from Yutong last year alone for use in Somerset, Bristol, the Midlands, the Tees Valley, Essex and Lancashire.

FirstBus, too, ordered 169 single and double-deck electric buses for use in Somerset, Essex and Bristol.

Overall both companies are thought to have more than 200 Yutong buses in operation each.

On Friday, FirstBus described the Norwegian findings as “helpful for wider industry learning”. A spokesman said the company had raised the matter with Yutong, was “satisfied with the response” and would continue to consider the company’s buses for future orders.

“Cyber security risk is a core element of our procurement process for new electric buses,” said Gavin Davies, IT director at the bus operator.

“Ruter’s work in Norway is helpful for wider industry learning, and it’s really encouraging that they are carrying out tests and exploring how security systems can be improved even further.”

Stagecoach referred The Telegraph to a statement by the British company Pelican Bus and Coach, which has been the sole distributor for Yutong in the UK since 2013, but declined to comment.

In an email, Ian Downie, head of Yutong sales for Pelican Bus and Coach, said Yutong “fully understands and highly values the public’s concerns regarding vehicle safety and data privacy protection”.

He insisted the company fully complies with all laws and regulations but declined to comment on the specific findings from Norway.

However, he added: “Yutong vehicles operating in Europe support customers’ remote controls for comfort-based needs, such as AC pre-conditioning scheduling.

“Customers can log into the system using private accounts to manage the fleet. Without customer authorisation, no one is allowed to access or operate the system.

“Yutong vehicles in Europe do not support remote control of acceleration, steering, or braking.

“As a responsible global manufacturer, Yutong always prioritises user trust and continuously enhance vehicle cybersecurity and data protection capabilities, providing global users with high-quality products and services.”

He added: “All software updates are controlled by Pelican with manual physical access only to the vehicles only, with written prior authorisation by customers.”

In recent accounts, Pelican said it had supplied more than 2,000 of the Chinese buses and coaches to customers in the UK and Ireland “with hundreds more on forward order”.

The Castleford-based company, which also sells trucks, said annual sales rose from £109m to £226m in the year to March 31. It has been receiving financial support in the form of loans from banking giant HSBC, according to press releases.

HSBC said it extended financing to help support the transition to greener transport – a key goal of the Government’s net zero plans.

Meanwhile, Yutong has also seemingly got its sights on an even bigger prize in the UK: supplying buses for use in London, one of the most complex environments in the world for public transport.

Although it does not appear that any of Yutong’s models are currently used in the capital, the company has repeatedly advertised that its buses are compliant with Transport for London’s standards.

When the company launched its U11DD double-decker last month, it appeared in London’s well-known red livery.

With a series of bus routes in London also preparing to switch to electric models, Mr Downie would not comment on whether his company intends to bid for contracts to supply the buses.

“We have designed buses that incorporates TfL standards. We will, however, not be able to advise of our intentions due to commercial sensitivity,” he said.

There are also questions about whether or not Yutong’s software really poses a risk.

Cyber security experts have said that such remote software updates are mainly included for ease, as it means engineers don’t have to travel the globe to administer improvements.

Ken Munro, a cyber security expert at Pen Test Partners, says that the ability to manipulate vehicles via “over the air” is not necessarily a bad thing, but the risk posed depends on who has access.

“It simply comes down to trust,” he says. “Do we trust the Chinese? It’s got nothing to do with whether you can deactivate the bus or not, because that’s a perfectly normal update system you’ll find in most western vehicles.”

Ultimately, he adds, there are also business interests at stake.

“Tesla uses the same system. But Elon Musk would not use a kill-switch on all the Teslas because he’d destroy his reputation, his net worth, and the stock market value of his company in a stroke. 

“So would the Chinese destroy their entire global export market for EVs for a political or military point?”

The issue has echoes of the controversy surrounding Huawei, the Chinese company that had supplied swathes of equipment used in Britain’s telecoms network.

Despite concerns, British cyber security experts at GCHQ repeatedly insisted it was safe to use Huawei kit and that the risks could be mitigated.

But this put London at loggerheads with Washington, where US officials insisted that American information should only pass through networks where they could be “confident that that network is a trusted one”.

In the end, the White House forced the UK Government’s hand by imposing sanctions that effectively forced the removal of Huawei kit from Britain’s 5G telecoms systems.

There is no suggestion any such restrictions may be coming for Yutong.

But with Chinese-made technology proliferating around the world, it is a worry that seems unlikely to go away.

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.