Fears of China’s dependence on technology have reached an unlikely corner of the West: the previously benign and efficient world of Scandinavian public transportation.
European countries are increasingly concerned that if tensions with China escalate, the vast infrastructure built by China could be weaponized, tampered with, immobilized or even commandeered.
Now, Danish and Norwegian bus companies have announced that they are urgently investigating and remediating a security loophole discovered in vehicles made by Zhengzhou, China-based Yutong, the world’s largest bus manufacturer by sales.
Because these buses can receive updates and diagnostic tests “over the air,” they “could be stopped remotely by the manufacturer or by a hacker,” Jeppe Gaard, chief operating officer of Danish public transit agency Movia, told NBC News in an email Wednesday.
“Like electric cars, electric buses can in principle be stopped remotely if the software system is accessible online,” he said. Gard added that this is “not just a problem for Chinese buses; it’s a challenge for all kinds of vehicles and equipment that have this kind of electronics built into them.”
In Denmark, Movia’s fleet includes 262 Yutong buses, which will be phased in across the network covering the capital Copenhagen and the east of the country starting in 2019, Movia said.
Earlier this month, Norwegian bus operator Lutheran, which operates half of the country’s public transport, including in the capital Oslo, issued the warning for the first time.
Ruuter conducted underground tests “inside the mountains” with two buses, one from the Yutong model and one from Dutch manufacturer VDL.
While Dutch buses “do not have the ability to autonomously update software over the air,” Yutong “has direct digital access to individual buses for software updates and diagnostics,” the newspaper said.
In theory, “the buses could be stopped or put out of service by the manufacturer,” but Yutong would not be able to remotely drive these vehicles, the paper said.
Asked for comment on the Denmark and Norway moves, Yutong said in an emailed statement that it “understands and appreciates the public’s concerns regarding vehicle safety and data privacy protection” and that it is “in strict compliance with applicable laws, regulations and industry standards.”
The company said vehicle data in the European Union is stored in Amazon Web Services’ data center in Frankfurt, Germany, and is “protected by storage encryption and access control measures” and that “no one is allowed to access or manipulate the system without the customer’s permission.”
China’s Ministry of Commerce did not respond to a request for comment.
This is just the latest episode in the complex relationship between Europe and China. Europe relies heavily on China’s trade and growing know-how, but has been critical of China’s alleged cyberattacks, rampant intellectual property theft and human rights abuses.
While hopes are high for a new trade deal between China and the EU, there are serious concerns over plans for a new mega-embassy in London and the lingering scandal over the collapse of an alleged spying scandal in the heart of Westminster.
Meanwhile, the Dutch government has taken control of Chinese semiconductor maker Nexperia, raising concerns that car production in the Netherlands could come to a halt.
It simply concludes that European countries, even more than the United States, depend on China for critical infrastructure, and that problems will arise if relations deteriorate.
Many European governments are scrapping 5G networks built by Chinese giants Huawei and ZTE under pressure from the U.S. government over concerns that Beijing could use them to undermine Western national security.
The biggest issue today is Chinese-made electric cars, which are effectively banned in the U.S., but their market share is expanding in Europe, doubling to 5.1% in the first half of 2025 from last year, according to auto consultancy JATO Dynamics.
Similar to other Western concerns, China flatly rejects that its EVs and other technologies pose a security risk.
In January, China’s Foreign Ministry denounced U.S. efforts to block Chinese technology from the U.S. auto market as “overextending the concept of national security” and called on the U.S. government to “stop attacking Chinese companies,” Spokesperson Guo Jiakun said at a daily press briefing.
But many security and intelligence officials are concerned.
The West “had a total problem with Huawei and 5G, and now they have the same problem with Chinese electric cars. A manufacturer could just flip a switch and all their electric cars would stop working,” Richard Dearlove, former head of British intelligence agency MI6, told NBC News in an interview earlier this year.
“So if there was a crisis with China, China could reprogram these vehicles to bring London to a complete standstill.”
In fact, this is true of all electric cars (including those made by Tesla, for example) and many other products that rely on internet connectivity, says Ken Munro, founder of British-American cybersecurity consultancy PenTest Partners.
In Norway, electric bus operator Lutheran said it had made several modifications, including stricter controls over future bus purchases, a “firewall” to protect against hackers, and “cooperation with national and local authorities on clear cybersecurity requirements.”
Are experts sure this will work?
“Not so,” said Mr. Munro.
“We need to enable all the levels of connectivity and software update capabilities that we all want as consumers,” he said. Munro added: “In my opinion, the only way to do this would be for the operator to disconnect all connections from that vehicle.”
Munro questioned whether China would actually want to exploit potential vulnerabilities like those identified on Scandinavian buses.
“Do we believe that China would destroy entire export industries such as cars and electric vehicles to prove a political or military point? That’s within the realm of possibility,” Munro said, but the chances of that happening are “incredibly small.”
“It comes down to just trusting,” he added.
