On November 7, 2025, the world of public transportation found itself at the intersection of innovation and vulnerability. A series of controlled cybersecurity tests conducted by Norway’s leading transit operator, Ruter, revealed that Chinese-made Yutong electric buses—now in operation across Europe and Australia—could theoretically be disabled remotely by their manufacturer. The findings, first reported after a dramatic underground trial in Sandvika, Norway, have since rippled through Denmark, Australia, and beyond, igniting a fierce debate over the security of connected vehicles and the broader implications for national infrastructure.
The tests, dubbed the “Lion Cage” experiment, were carried out at Franzefoss in Sandvika in a mine designed to block external signals. Ruter’s team, supported by cybersecurity experts from Telenor Group and the University of South-Eastern Norway, examined two buses: a freshly delivered Yutong model from China and a three-year-old VDL bus from the Netherlands. Their goal was clear—probe for weak spots that could allow hackers or foreign actors to interfere with bus operations or access sensitive systems.
According to AP and Reuters, the results were sobering. The Yutong bus, equipped with cloud-based connectivity, allowed the manufacturer direct digital access for software updates and diagnostics, including critical systems like battery and power management. In theory, this meant the manufacturer could remotely interrupt or even disable the bus. The VDL bus, by contrast, lacked remote update capabilities, making it less exposed to such risks. Ruter confirmed that while the onboard cameras of both buses were not internet-connected—ruling out live video transmission—other systems remained accessible via the mobile network.
“After this testing, Ruter is moving from concern to concrete knowledge about how we can build in security systems that protect us against unwanted activity or hacking of the bus's computer systems,” said Ruter CEO Bernt Reitan Jenssen, as quoted by Bus-News. He emphasized that the next generation of buses would likely have even more integrated technologies, making it crucial to implement robust security measures now. “We therefore have a technological window of time to implement the necessary security measures right now. This is good news, and we are already preparing measures that will significantly increase our resilience.”
The Norwegian findings quickly caught the attention of Denmark’s transportation authorities. Movia, Denmark’s largest public transport operator, runs 469 Chinese-made electric buses, 262 of which are Yutong models. Jeppe Gaard, Movia’s Chief Operating Officer, expressed surprise at the extent of potential remote control, noting, “This is not about Chinese buses, but about all types of modern vehicles that have electronic devices with network connectivity.” Denmark’s civil protection agency, Samsik, confirmed that no buses had actually been disabled remotely, but authorities are now working to tighten cybersecurity requirements for future vehicle procurements. Proposed steps include upgrading firewalls, delaying over-the-air software updates, and revisiting network access protocols.
The debate has not stopped at Europe’s borders. In Australia, where Yutong has delivered more than 1,500 vehicles since 2012—including 133 battery electric city buses—cybersecurity concerns have also surfaced. Australian distributor VDI clarified that, unlike in Europe, software updates for Yutong buses in Australia are typically performed at service centers rather than remotely. Yet, cybersecurity experts remain wary. Alastair MacGibbon, former head of the Australian Cyber Security Centre, pointed out that the issue is not limited to the country of manufacture. “All ‘connected’ vehicles, and particularly electric vehicles, require constant connectivity with manufacturers who have access to microphones, cameras, and GPS devices,” he told ABC. MacGibbon urged the Australian government to consider restricting Chinese-made electric vehicles on government property, citing national security risks.
Yutong, for its part, has maintained that it complies fully with local laws wherever it operates. In Europe, the company said all vehicle data is stored in Amazon Web Services data centers in Frankfurt, Germany, encrypted and protected by strict access controls. A spokesperson told The Guardian that the data is “only used for maintenance and improvement of full-sale services.” In Australia, Yutong emphasized that “no-one is allowed to unlawfully access or view the data” without customer authorization and that vehicles “do not support remote control of acceleration, steering, or braking signal.” Operational data is transmitted via local mobile networks to AWS data centers in Sydney.
Despite these assurances, experts like Dennis Desmond, a former FBI special agent now at the University of the Sunshine Coast, remain skeptical. “Until a clear answer can be given as to what data is collected, how often that data is collected, to where it is transmitted … and who has access to that data … I would be concerned about the risk that using these vehicles presents, especially within a national security context,” Desmond explained in an email to ABC. He argued that all imported smart devices, not just those from China, should be fully assessed for data collection, storage, and transmission risks before being deployed in sensitive roles.
Meanwhile, Ruter is not waiting for international consensus. The Norwegian operator has already begun implementing stricter cybersecurity and infrastructure requirements for all future bus purchases. This includes developing new firewall solutions to prevent unauthorized remote access, ensuring that buses can be quickly isolated from the internet by removing the onboard SIM card, and delaying inbound digital signals so that software updates can be inspected before reaching vehicles. Ruter is also collaborating with national and local authorities to establish clear cybersecurity standards for public transport.
The broader context is clear: as cities worldwide electrify their public transport fleets, the convenience and efficiency of connected vehicles come with new vulnerabilities. Earlier this year, the US Department of Commerce banned the sale of connected hardware and software systems from Russia and China, reflecting growing anxieties about foreign control over critical infrastructure. Even tire manufacturers like Pirelli, whose Cyber Tire technology is partly linked to China, face increased scrutiny.
For now, no cases of actual remote shutdowns have been reported in Norway, Denmark, or Australia. But as Movia’s Jeppe Gaard and cybersecurity experts on several continents have pointed out, the risks posed by connected vehicles—regardless of their country of origin—are real and growing. The challenge for governments, operators, and manufacturers is to strike a balance between embracing technological progress and safeguarding the systems that keep cities moving.
As public transport operators and policymakers scramble to address these vulnerabilities, one thing is certain: the future of mobility will depend as much on cybersecurity as it does on battery range or passenger comfort. The window to act, as Ruter’s CEO put it, is open now—but it may not stay open for long.
