Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit
Over the air updates and remote diagnostics are both things that are sold as features and are often even requested by the transportation companies.
To be honest I am a bit surprised that they are surprised this exists.
To be completely honest: there are even ECE regulations regarding software updates over the air.
This is nothing new and nothing special. Almost all vehicles these days are connected to their manufacturer.
Also regarding deactivating this „feature“. It is usually quite simple, just unplug the connectivity ECU.
To be honest I am a bit surprised that they are surprised this exists.
Guess they didn’t request this feature. Not this way at least
It’s a very dangerous feature that can and will be abused by China. Many devices made in many countries having the same feature does not make it any less dangerous for China’s adversaries.
Sorry, but this is not a China discussion. If it was a American vehicle which was controlled from the US, it wouldn’t be any less dangerous.
It is simply dumb to rate long term Cyber Security threats only based on current political climate.
Saying that the bus itself is dangerous when the “danger” is that auto-OTP can be used to remotely make it unable to run is a bit weird. But, let’s go with your phrasing.
Why would the danger be the same? (And how is this argument of yours anything else than whataboutism?)
I wonder how this procurement was done, and who was responsible. Obviously, they never really checked the buses for security issues, or they where wrongly informed. How much will this investigation and updates cost, and would with hindsight, a different choice have been better and cheaper? If so, someone in procurement has been swayed, bought-off or was very misguided.
Online updates and remote diagnostics are usually an advertised feature and might even have been a selling argument as it appears to save costs in maintenance… until the Polish vendor turns off their trains because the operator dared to try to repair them themselves (yes that is not a “Chinese” problem).
No, this is not a ‘Chinese’ problem, but as a European I would rather have this problem with a European supplier than with a Chinese supplier for having control over the trains on the continent (or my car, or any technology).
I don’t see how that makes a big difference. As the Polish example clearly shows, the laws right now are inadequate to deal with this and it took 3rd party hackers to reverse-engineer it after the company extorted significant amounts of money from the operator to re-enable the trains. And the icing on the cake is that now these hackers are in court, not the company.
And from an IT security perspective, it doesn’t matter much to an attacker if the remote operated backdoor to shut down these busses is put there by a Chinese or European company (which would likely be using Chinese tech for that anyways).
it doesn’t matter much to an attacker if the remote operated backdoor to shut down these busses is put there by a Chinese or
It does matter, one major reason being that the European supplier operates under European jurisdictions and is easier to be held accountable.
European company (which would likely be using Chinese tech for that anyways).
Wherever that’s the case, it must apparently be changed, one major reason being national security (the same reason why China is blocking European and other non-Chinese vendors in its domestic markets, btw).
[Edit typo.]
Accountable based on what laws? The real issue is that these things are perfectly legal regardless of who does it and that there is also almost no way to hold a supplier accountable for software security breaches (besides the fact that it is too late then anyways).
Accountable based on what laws?
On the laws we have in European democracies that can be changed and adapted as needed (unlike in China, where this can’t be done).
Ok so you agree that there is a need to make laws here in Europe about it and subject any supplier to them regardless of where their HQ is located? No need to answer that 😅
about the polish case.
“Digging into the code revealed a software trap that would disable trains if they were anywhere near a repair facility that wasn’t run by the manufacturer, Newag. But Newag used a pretty inaccurate way to determine when the trains were in a rival repair shop, which led to some unexpected consequences.”
I don’t think this is what the problem with the buses are about. Ofcourse, on the fly update and remote features are probably more advanced. But if a third party (country) has 100% control, that means you don’t have any.
The way it was done in this case was by ITT offers.
The company Movia, which is owned by the public municipalities and regions, put out a request for busses, including the requirements.
Once the request is out there, they usually do have to accept the cheapest offer that fulfills the requirements, unless there are special situations.
So, the requirements probably didn’t account for this remote controlled thing. Responsibility should by placed at the board of the company.
It would be interesting to read the original request. The terms are usually quite strict, which can also be a problem, for instance if nobody can fulfill them or if the requirements are too specific so only one company can make an offer etc.
Maybe they’re more lax in the company than if it had been a direct purchase from the municipality. It’s quite unusual to see any Chinese suppliers for this sort of thing, because they don’t pay their employees enough. It’s standard terms in all public purchases that suppliers must have employment terms on level with local Danish union workers in the same sectors.
Just another reminder of why it’s not a good idea to privatize public infrastructure…
So, the requirements probably didn’t account for this remote controlled thing.
Probably, something like this. But if there was a procurement interview with a Q&A it should’ve been discussed, imo. I wonder if the tech people got a say.
Oh they were warned from the defence department a few years ago. It’s been an ongoing process since 2019. Other politicians also made an inquiry about how much it would cost to choose European suppliers in July this year, which showed that equivalent busses from Europe would cost up to 36 million dkk more and that European companies couldn’t actually deliver. At least we know what the savings were, so the question is just what the fix will cost…
I wouldn’t be surprised if the current news is more about the upcoming election than anything. The city busses aren’t that critical in Copenhagen. They have have trains, trams and metros too and everything is in bicycle distance, so shutting down the busses would be a minor inconvenience to most people. It’s not really a serious threat. Also, there really isn’t a threat. It’s only a potential in worst case scenario fan fiction.
must be hard to whitelist their own system, and blacklist outside data
This will then mean that essential updates will be blocked.
The problem is that the updates can contain anything, including an attack that activates for example at a specific time, several weeks after the update. And if you block the updates, well, you won’t have updates.
wait until you hear how chinese manufacturers can turn off at least half of our solar infrastructure on a whim.
