What Could Possibly Go Wrong, Vendor Remote Access Edition
The problem: Global warming is a threat.
The Solution: We will purchase electric busses from China to run all over our cities … Sounds like a great idea, with the best of intentions, what could possibly go wrong ?
Well, as is with all devices as a service, they will obviously need monitoring and updating on a regular basis, so Oslo obviously gave the Chinese a neat little service tunnel into the fleet, so they can nudge updates at 02:00 and watch sensor health in real time, and surely nothing bad ever comes through that tunnel.
Then Ruter ran a live test, found that Yutong, the manufacturer of a newly delivered electric bus, had remote digital access broad enough that a malicious actor could, in theory, stop vehicles, and quietly rewrote the playbook.
The finding jumped the border to Denmark by midweek, where authorities began combing through hundreds of similar buses. According to AP, the scenario was discovered in a controlled setup, no one pulled a real world kill switch, but the capability path existed, which was enough to trigger action.
The Actors
Ruter is Oslo’s public transport authority, the organization steering an aggressive electrification push across its bus network.
Yutong is one of China’s largest bus makers, supplying vehicles and the connected service stack that delivers over the air updates and telemetry. Denmark’s Movia operates one of Europe’s largest e-bus fleets, including hundreds from Chinese manufacturers, and activated a rapid review once Oslo’s results surfaced.
Reported by the Guardian, Denmark’s civil protection authorities joined the assessment, focusing on internet connected subsystems and how vendor access is governed.
The Tests
Ruter’s team isolated buses in a mountain test environment, put connectivity under the microscope, and asked a simple question, who can talk to this vehicle, and what can they do.
The answer, according to AP and Channel NewsAsia, was that the manufacturer had remote access sufficient for diagnostics and updates, a legitimate function that could, if abused, halt the bus. Ruter emphasized that no unauthorized shutdown occurred, the risk was about the path, not an exploited event.
Yutong’s Response
Yutong disputes the framing. Electrive reported the company’s position that remote control of core driving functions is technically impossible, and that data is encrypted, stored in Germany, and accessed only with customer approval.
Sustainable Bus echoed that message, noting Yutong drew a hard line between service telemetry and any ability to manipulate steering, braking, or acceleration. The disagreement matters, because for operators the difference between “we can push updates” and “we can stop the bus” is not academic, it is operational risk.
Conclusion
The program was built with the best of intentions, keep the fleet healthy, keep the air clean, keep the timetable honest. The lesson from Oslo is that good intentions do not survive unaudited trust paths.
If a vendor can reach your buses whenever they want, then so can anyone who can reach your vendor, which means your risk lives wherever their credentials live.
Treat buses like what they are, connected industrial systems with real people on board. Own the keys, set the gates, and make every remote action cross your console on your schedule. Norway started the fix, Denmark accelerated it, the rest of Europe should catch up before the next purchase order is signed





"The lesson from Oslo is that good intentions do not survive unaudited trust paths."
No, the lesson is that when one country has been made paranoid about another country due to US/EU/NATO propaganda about China, then morons panic and begin looking for "Commies under the bed".
This is complete fucking bullshit. The United States is literally the biggest threat to world peace that has ever occurred in human history - worse than Hitler due to increased actual threat potential globally due to nuclear weapons deliverable from 800 bases across the world.
But no, we're all scared of China. It's the "Yellow Peril" all over again.
Humans don't learn.