Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The UK government is investigating whether hundreds of Chinese-made electric buses on British roads could be remotely deactivated, in the latest sign of concern about Beijing’s role in the country’s infrastructure.
Transport officials are working with the National Cyber Security Centre to assess whether Yutong, the world’s biggest bus maker, has remote access to the vehicles’ control systems for software updates and diagnostics.
The probe follows an investigation in Norway that found Yutong buses could be “stopped or rendered inoperable” by the Zhengzhou-based company. Those findings have also prompted Denmark to launch its own review.
Yutong has supplied about 700 buses to the UK market, primarily in Nottingham, south Wales and Glasgow, operated by groups including Stagecoach and FirstBus.
The company is hoping to sell more vehicles in London, where it has developed a double-decker electric bus that meets the standards of Transport for London.
The Department for Transport said: “We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities.”
TfL said that none of its operators used Yutong buses or had ordered any, adding: “Any buses entering service in London have to meet our robust technical requirements, including rigorous testing.”
Yutong told the Sunday Times newspaper that it “strictly complies with the applicable laws, regulations and industry standards of the locations where its vehicles operate”.
It added: “This data is used solely for vehicle-related maintenance, optimisation and improvement to meet customers’ aftersales service needs. The data is protected by storage encryption and access control measures. No one is allowed to access or view this data without customer authorisation. Yutong strictly complies with the EU’s data protection laws and regulations.”
Yutong did not immediately respond to a request for further comment on Sunday.
Ruter, Oslo’s public transport company, said last month that it had tested a new bus from Yutong and a three-year-old one from Dutch manufacturer VDL in an underground mine to check whether it could be hacked or used for intelligence purposes.
The Chinese company had remote access to its bus including the battery and power supply management system, Ruter found. The VDL bus did not have the same remote access.
“In theory, the [Yutong] bus could therefore be stopped or rendered inoperable by the manufacturer,” Ruter added.
Ruter said it could retain local control over the Chinese bus by removing its sim card as all connectivity passed through it.
Denmark’s largest public transport company, Movia, has said it too is investigating the risks, but underscored that the issue was not specific to Chinese buses, being common to many electric vehicles — including those made in western countries — whose software can be updated remotely.
The UK’s relationship with China has become tense, however, making any such vulnerabilities politically sensitive at a time when politicians have been debating whether or not Beijing is an “enemy” or a “threat”.
Euan Stainbank, Labour MP for Falkirk, has urged UK ministers to assess the risks from electric buses made in China.
“It is becoming increasingly clear that there is potential for the quantity of Chinese-manufactured electric buses on UK roads to represent a national security risk, as suppliers could be able to remotely access and exploit vehicles’ control systems while in transit,” he said.
