The same Chinese company that makes electric buses now under review in Denmark and Norway also has buses on Australian roads, sparking concern among cybersecurity experts.
Norwegian transport operator Ruter published test results last week that showed bus-maker Yutong Group had access to buses’ control systems for software updates and diagnostics on the model they tested.
“In theory, this could be exploited to affect the bus,” it said, explaining the bus could be remotely turned off.
Norway transport firm steps up anti-hacking measures
On the company’s Australian website, Yutong Australia said it had “delivered” more than 1,500 vehicles here since 2012.
However, only 133 low-floor city buses and about 12 charter or coach buses in Australia were battery electric, said a spokesperson for VDI, the Australian distributor of Yutong vehicles.
They added that, in Australia, the practice was to update software physically at service centres rather than remotely.
Ruter did not name the model of “brand new Yutong bus” it tested and a Yutong spokesperson told the ABC the bus in the spotlight in Norway “is not the same model as the Yutong buses operating in Australia”.
Broader issue with ‘connected vehicles’
However, cybersecurity expert Alastair MacGibbon said it was a “moot point” whether the bus model raising concern in Europe was in Australia.
Mr MacGibbon, chief strategy officer at CyberCX and former head of the Australian Cyber Security Centre, said all “connected” vehicles, and particularly electric vehicles, required constant connectivity with manufacturers who have access to microphones, cameras, and GPS devices.
“They have to be able to update software and firmware. That means they can degrade the device, turn it off, turn off certain features, and the fundamental point here is it’s not about made in China, but controlled by China,” he said.
“The problem is, of course, that if a company is domiciled in China, they obviously come under the lawful direction of the CCP [Chinese Communist Party].”
Alastair MacGibbon has also been a cyber security adviser to a former prime minister. (Supplied: CyberCX)
Mr MacGibbon urged the government to “actively consider” preventing public servants or politicians from using all Chinese-made electric vehicles or having them on government property.
“The simple fact is that our largest trading partner is also probably our largest threat and we need to make rational decisions,” he said, while acknowledging there were no “simple solutions”.
A Defence Department spokesperson said the department employed a “layered approach to security of the Defence estate”.
“The layered approach to base security includes all Defence personnel, security contractors, neighbouring properties, military police and local authorities, to keep our bases secure and respond to external threats,” the spokesperson said.
A Yutong spokesperson said in Australia “no-one is allowed to unlawfully access or view the data” without customer authorisation and the company “strictly complies with Australian data protection laws and regulations”.
“Yutong vehicles in Australia do not support remote control of acceleration, steering, or braking signal,” the spokesperson said.
“Yutong only collects vehicle operational data, which is transmitted via the onboard terminal through the local mobile network directly to the AWS [Amazon Web Services] data centre in Sydney, Australia.”
‘All imported smart devices should be tested’
Yutong Bus company workers at the company’s production plant in Zhengzhou in central China’s Henan province in 2007. ( Reuters: Stringer/China )
Yutong buses are used in multiple states and territories in Australia, including in Canberra.
Transport Canberra signed a contract in May 2023 for the supply of 90 electric battery Yutong E12 buses, with the first of these 90 buses delivered in May 2024, according to the agency’s 2023-24 annual report.
Transport Canberra has been contacted for comment.
Yutong Australia’s website says it has workshops and dealer support in all major Australian cities including Sydney, Melbourne, Brisbane, Perth, Cairns.
Dennis Desmond, a cybersecurity expert at the University of the Sunshine Coast, said he remained “very concerned” about several issues.
Dennis Desmond is a former FBI special agent. (ABC Sunshine Coast: Jessica Ross)
This included around software “being pushed to the vehicle to include any updates or fixes, especially in the firmware”.
“In my opinion, until a clear answer can be given as to what data is collected, how often that data is collected, to where it is transmitted (either directly or using the Link Plus application), and who has access to that data (whether encrypted or unencrypted), I would be concerned about the risk that using these vehicles presents, especially within a national security context,” he explained in an email.
Mr Desmond said if these vehicles were relied upon by government, defence, intelligence, law enforcement, or contractor workforces, it would be “a national security issue”.
US government banning Chinese-made cars
This was not just an issue specific to Chinese-made electric vehicles, he added.
Any smart device imported and used in Australia should “be fully assessed for data collection, storage, and transmission”, Dr Desmond said.
Companies in Europe and the US also supply electric buses or components into Australia.
“Australians have become extremely reliant on foreign manufacturers for a variety of devices, including vehicles, and often are completely unaware of the data collection and exploitation processes involved.
“Prior to any official government contract, for any Internet of Things or smart device, there should be a full evaluation of the potential risk to national security as well as personal privacy,” he said.
In a further media statement, a Yutong spokesperson said the company “fully understands and highly values the public’s concerns regarding vehicle safety and data privacy protection”.
“Yutong always prioritises vehicle data security and the protection of customer privacy, and fulfils its commitments to cybersecurity management for vehicles and data protection with high standards,” the spokesperson said.
A VDI spokesperson added that while Yutong vehicles have “over-the-air” capability, VDI’s practice in Australia is to perform vehicle software updates physically at our authorised service centres, with customer consent — not remotely.
