Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit
Online updates and remote diagnostics are usually an advertised feature and might even have been a selling argument as it appears to save costs in maintenance… until the Polish vendor turns off their trains because the operator dared to try to repair them themselves (yes that is not a “Chinese” problem).
about the polish case.
“Digging into the code revealed a software trap that would disable trains if they were anywhere near a repair facility that wasn’t run by the manufacturer, Newag. But Newag used a pretty inaccurate way to determine when the trains were in a rival repair shop, which led to some unexpected consequences.”
I don’t think this is what the problem with the buses are about. Ofcourse, on the fly update and remote features are probably more advanced. But if a third party (country) has 100% control, that means you don’t have any.
No, this is not a ‘Chinese’ problem, but as a European I would rather have this problem with a European supplier than with a Chinese supplier for having control over the trains on the continent (or my car, or any technology).
I don’t see how that makes a big difference. As the Polish example clearly shows, the laws right now are inadequate to deal with this and it took 3rd party hackers to reverse-engineer it after the company extorted significant amounts of money from the operator to re-enable the trains. And the icing on the cake is that now these hackers are in court, not the company.
And from an IT security perspective, it doesn’t matter much to an attacker if the remote operated backdoor to shut down these busses is put there by a Chinese or European company (which would likely be using Chinese tech for that anyways).
It does matter, one major reason being that the European supplier operates under European jurisdictions and is easier to be held accountable.
Wherever that’s the case, it must apparently be changed, one major reason being national security (the same reason why China is blocking European and other non-Chinese vendors in its domestic markets, btw).
[Edit typo.]
Accountable based on what laws? The real issue is that these things are perfectly legal regardless of who does it and that there is also almost no way to hold a supplier accountable for software security breaches (besides the fact that it is too late then anyways).
On the laws we have in European democracies that can be changed and adapted as needed (unlike in China, where this can’t be done).
Ok so you agree that there is a need to make laws here in Europe about it and subject any supplier to them regardless of where their HQ is located? No need to answer that 😅
In principle I’d agree, but I have a nitpick: The laws must say that those that built infrastructure must be European countries with their HQ in Europe (not foreign-owned subsidiaries with European HQ).
That would be likely incompatible with WTO agreements and usually leads to local quasi monopolists charging absurd prices to government run service providers. And it wouldn’t solve the likely issue of European companies buying the needed software and hardware from abroad anyway.