Norway’s public transport system found itself at the center of a cybersecurity storm this week after revelations that hundreds of Chinese-made electric buses could theoretically be shut down remotely by their manufacturer, Yutong. The findings, which emerged from a series of rigorous tests conducted by Ruter, the Norwegian public transport operator, have sparked a nationwide debate about the risks and resilience of critical infrastructure in an era of globalized technology.
It all started with an internal inspection on November 6 and 7, 2025, when Ruter discovered a hidden Romanian SIM card embedded within the system of a Chinese-made electric bus. This SIM card, according to Yutong, was designed for remote software updates and technical troubleshooting. Yet, the potential implications went far beyond routine maintenance. As reported by Carscoops and confirmed by Ruter’s official statements, the presence of such remote connectivity raised the unsettling possibility that buses could be stopped or rendered inoperable from afar—a scenario that, while not observed in practice, was enough to set alarm bells ringing across Norway’s transport sector.
Norway currently operates around 1,300 electric buses, with approximately 850 supplied by Yutong. The capital city, Oslo, alone has about 300 of these vehicles on its streets. The scale of Yutong’s presence in the Norwegian fleet underscores the gravity of the issue. Ruter’s tests, conducted in an isolated mountain area to ensure no external interference, compared the Chinese-made Yutong buses to Dutch-manufactured VDL buses. The evaluation focused on several key areas: whether bus camera footage was connected to the internet, if software updates could be accessed externally, and whether the power supply system could be reached via mobile communications.
The results were clear. VDL buses had no ability for over-the-air software updates, and their external access points were tightly restricted. In contrast, Yutong buses featured a power management system accessible remotely through SIM cards, theoretically allowing the manufacturer to disable or stop the buses. As Ruter explained, “In theory, this could be exploited to affect the bus.” While the tests did not uncover any evidence of camera footage being transmitted online, nor any actual incidents of malicious interference, the mere existence of such capabilities was enough to prompt action.
Experts weighed in, warning that the system could “theoretically be exploited to stop the buses,” raising not just technical concerns but broader national security and cyber risk worries. The story was quickly picked up by international outlets, including The Guardian and Berliner Zeitung, which highlighted the growing intersection of technology, geopolitics, and public safety in Europe.
Yutong, for its part, strongly rejected claims that its electric buses could be remotely controlled or deactivated from China. Speaking to Berliner Zeitung, a company representative insisted that such control was “technically impossible.” The company clarified that while its vehicles have a data connection for diagnostics and software updates, there is no physical link between the main control unit—known as the T-Box—and safety-critical systems like steering, propulsion, or braking. Furthermore, Yutong stated that all vehicle data for the EU is stored in an Amazon Web Services data center in Frankfurt, encrypted and used solely for maintenance and optimization. Over-the-air updates, the company said, only occur with the explicit approval of the operator and are limited to comfort functions and diagnostic software, not core vehicle controls.
“It is also important to emphasize that the Norwegian senior advisers stated that this is not a Chinese bus concern, it is a problem for all types of vehicles and devices with these kind of electronics built in,” noted Movia, Denmark’s largest public transport company, in an email to The Guardian. Indeed, the issue is not limited to Norwegian roads. After the Norwegian findings became public, Denmark’s national civil protection and emergency management authority launched its own investigation. Movia operates 469 Chinese-built electric buses, 262 of them supplied by Yutong. While the Danish agency said it was not aware of any incidents, it acknowledged that connected subsystems—such as cameras, GPS, and sensors—could present potential vulnerabilities.
Broader concerns about remote control of electric vehicles are not new. Earlier in 2025, U.S. regulators opened a probe into Tesla after reports of crashes involving remote vehicle commands via phone app. However, the Yutong buses in Norway are not driverless; they are operated by human drivers, which mitigates some risk but does not eliminate the core cybersecurity challenge.
In response to the findings, Ruter announced a suite of measures to strengthen its cybersecurity posture. The company plans to impose stricter security requirements on future electric bus contracts, develop robust firewalls to ensure local control and protect against hacking, and work closely with national and local governments to establish clear cybersecurity standards. “Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems,” said Bernd Reitan Jensen, CEO of Ruter. He added, “While our investigation did not find any evidence of malicious activity, but rather concerns, we can now turn these concerns into concrete knowledge that will lead to stricter safety standards.”
Ruter also clarified that, if necessary, the electric buses can be operated locally or offline by disconnecting communications or physically removing the SIM card. Additionally, new steps are being taken to delay inbound signals, allowing operators to scrutinize updates before they are applied to the buses. Cameras installed on the buses are not connected to the internet, so there is “no risk of image or video transmission from the buses,” according to Ruter.
Yutong has emphasized its commitment to complying with local laws and regulations wherever its vehicles operate. “We strictly comply with the laws and rules of places where our vehicles operate,” a spokesperson told The Guardian. The company maintains that its remote features, such as preconditioning the bus interior before service, are managed entirely by local operators, and not accessible to Yutong.
Ultimately, the episode has brought to light a challenge that extends well beyond one country or one manufacturer. As public transport systems across Europe and the world incorporate increasingly sophisticated electronics and connectivity, the line between convenience and vulnerability grows ever thinner. The Norwegian case has prompted a broader European debate about the use of foreign technology in critical infrastructure, with security agencies and transport companies now reassessing their own fleets and policies.
For now, Norway’s buses remain on the road, with new safeguards on the horizon and a heightened awareness that, in the digital age, even the most mundane vehicles can become the frontline in the battle over cybersecurity and public trust.
