In a development that has sent ripples through the transportation and cybersecurity sectors across Europe, Norway’s leading public transport operator, Ruter, has announced sweeping new security measures after uncovering remote-access capabilities in Chinese-made electric buses. The revelation, which surfaced on November 5, 2025, has ignited a debate over the intersection of green technology, national security, and the risks of globalized supply chains.
The controversy began when Ruter, responsible for half of Norway’s public transport and operating extensively in Oslo and the eastern Akershus region, conducted routine security tests on a fleet of newly acquired electric buses manufactured by China’s Yutong Group. According to Ruter, these tests—carried out both on brand-new Yutong buses and three-year-old vehicles from Dutch manufacturer VDL—were designed to assess the buses’ connectivity and resilience to hacking. The findings, however, were far from routine.
Test results published just days before the announcement revealed that Yutong had built in the ability to remotely access the buses’ control systems for diagnostics and software updates. More alarmingly, the buses contained concealed SIM cards and software backdoors, which could theoretically allow for remote shutdowns from thousands of miles away. The Dutch-made VDL buses, in contrast, lacked such over-the-air update capabilities, underscoring the unique risks posed by the Chinese models.
“We have identified risks related to remote access that could potentially affect the operation of the buses,” a Ruter spokesperson told Scandasia. The company elaborated that the manufacturer could access the control system for battery and power supply via mobile networks, meaning buses could be stopped or rendered inoperable remotely. In the words of Ruter’s CEO, Bernt Reitan Jenssen: “Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems.”
The technical breakdown of the vulnerability is sobering. As reported by Carscoops, investigators found that the Yutong buses contained SD cards and hidden SIM modules granting the manufacturer remote access, including the ability to disable vehicles—features that were not disclosed in procurement contracts. Cybernews further detailed that these components enabled access to the diagnostics module and battery systems, potentially allowing for mass disruptions if exploited by malicious actors or even state entities.
While Yutong did not immediately respond to requests for comment from The Associated Press, The Guardian cited a statement from the company asserting that it “strictly complies” with the laws and rules of the countries in which its vehicles operate. Yutong’s spokesperson insisted that data from its buses is stored in Germany and is “used solely for vehicle-related maintenance, optimization and improvement to meet customers’ after-sales service needs.” Still, the presence of undisclosed remote-access hardware has raised eyebrows among officials and security experts alike.
The buses in question are not autonomous; they are operated by drivers, unlike the driverless shuttles seen in parts of California and China. Cameras installed in the buses are not connected to the internet, so there is no risk of image or video transmission, Ruter reassured the public. However, the capacity for remote intervention in the core power and battery systems remains a significant concern.
Norway’s transport minister has since launched a full probe, emphasizing the need for transparency in international supply chains. As reported by Anadolu Ajansı, Norwegian officials are now collaborating with cybersecurity firms to patch the vulnerabilities and are reviewing cybersecurity risks across all public transport assets. The government’s swift response reflects the seriousness of the issue, with over 1,200 Yutong buses ordered for environmental reasons now under heightened scrutiny.
The incident has not only rocked Norway but has also reverberated across Europe and beyond. Industry insiders point to this as a wake-up call for nations relying on foreign-made critical infrastructure. As Focus on Travel News highlighted, similar concerns have surfaced in other sectors, but this represents a significant escalation in the context of public transport. The scandal has fueled a broader debate on Europe’s dependency on Chinese technology and the need for diversified, transparent supply chains.
Social media platforms such as X (formerly Twitter) have amplified public awareness and concern. Posts from users like PeterSweden and Luke de Pulford have drawn attention to the potential for remote shutdowns, the scale of the fleet involved, and the implications for national security. “They can remotely send diagnostics, do software updates and cut the battery power,” one post noted. Another underscored the urgency: “Manufacturer access allows buses to be stopped from China.”
Industry experts, quoted in Sustainable Bus and Gigadgets, have warned that hundreds of buses could be vulnerable to such remote shutdowns, reshaping cybersecurity standards for connected vehicles across Europe. The South China Morning Post reported, “The manufacturer has access to the vehicles’ control systems, which could in theory be used to turn them off.” The consensus among analysts is that this incident may prompt the introduction of mandatory cybersecurity certifications for imported vehicles and encourage the adoption of blockchain or AI-driven security in transport IoT.
For Norway, the stakes are high. The country’s ambitious push for electric buses was driven by climate goals, with sustainability at the forefront of public policy. Yet, as Risky Bulletin points out, this green initiative has come with unexpected cybersecurity trade-offs, including risks to students and public infrastructure. The cost of retrofitting or replacing vulnerable buses could run into millions, putting additional pressure on public budgets already stretched by the demands of the energy transition.
In response, Ruter is imposing tougher security rules in future procurement contracts, developing new firewalls to ensure local control and prevent hacking, and working closely with authorities to establish clear cybersecurity requirements. The company is also taking steps to delay inbound signals, allowing it to review software updates before they reach the buses—a move designed to give operators greater oversight and control.
Looking ahead, Norway’s experience serves as a cautionary tale for governments and transit authorities worldwide. As more nations digitize their transport infrastructure, the need for rigorous third-party audits, open-source components, and transparent supply chains becomes ever more apparent. The lessons learned from Oslo’s buses could help shape international standards, ensuring that the drive toward sustainable mobility does not come at the expense of security and public trust.
Norway’s decisive response—tightening controls, enhancing cybersecurity measures, and scrutinizing supply chains—may well set a precedent for the rest of the world, demonstrating that safeguarding critical infrastructure in the digital age requires vigilance, adaptability, and, above all, transparency.
