Denmark and Norway probe a security flaw in Chinese-made Yutong buses, deepening European fears over reliance on Chinese tech and potential cyber risks.
Bus operators in Denmark and Norway are urgently probing a security vulnerability in Chinese-made Yutong electric buses, raising concerns about Western dependence on Chinese technology.
The issue highlights growing European fears that Chinese-built infrastructure could be exploited or disabled amid geopolitical tensions with Beijing.
Yutong, based in Zhengzhou, is the world’s largest bus manufacturer by sales, and the discovery has prompted Scandinavian providers to investigate and implement fixes to prevent potential tampering or remote control risks in their fleets.
NBC News, citing chief operating officer of the Danish public transport provider Movia Jeppe Gaard, reported that Yutong electric buses can get remote updates and diagnostics, meaning manufacturers or threat actors could interfere with their operations. The risk impacts all connected vehicles, not just Chinese ones. Movia operates 262 Yutong buses across Copenhagen and eastern Denmark. The concern surfaced after Norway’s Ruter, which runs much of the country’s transport, tested Yutong and Dutch VDL buses in an underground facility to check for remote access vulnerabilities.
The test demonstrates that Yutong buses allow direct digital access for updates and diagnostics, meaning the manufacturer could theoretically disable them. Yutong responded that it values safety and data privacy, follows all laws and standards, and stores EU vehicle data securely on Amazon servers in Frankfurt, protected by encryption and access controls. The company said no one can access or operate the system without customer authorization.
“Electric buses, like electric cars, in principle can be remotely deactivated if their software systems have online access,” Gaard told NBC News. This isn’t just a “Chinese bus concern; it is a challenge for all types of vehicles and devices with these kinds of electronics built in,”.
China’s Ministry of Commerce hasn’t yet commented on the issue.
The relationship between European states and China is even more complicated. The E.U. depends on Chinese trade and technology but fears potential attacks by Beijing. The Dutch government seized Chinese chipmaker Nexperia, sparking fears for Europe’s auto sector. Nations are removing Huawei and ZTE 5G equipment from their telecommunications infrastructure and are now worried about Chinese electric vehicles, whose market share in Europe doubled to 5.1% in early 2025. Experts warn that connected EVs, Chinese or otherwise, can be remotely disabled. Norway has tightened cybersecurity for its buses, but analysts say complete safety is unrealistic. Trust remains the key issue.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Yutong)
