Norway's Ruter Bolsters Bus Security After Remote Access Discovery in Yutong Electric Fleet

Ruter Uncovers Remote Access Vulnerabilities

Ruter, Norway's prominent public transport operator, has announced a significant tightening of security protocols for its electric bus fleet. This decision follows comprehensive cybersecurity tests conducted in late October 2025, which revealed that Chinese bus manufacturer Yutong Group possessed remote access capabilities to their electric buses. The tests, carried out in an isolated mountain environment to prevent external interference, exposed potential vulnerabilities related to Over-The-Air (OTA) software updates and diagnostics.

The investigation focused on a new Yutong bus and a three-year-old VDL bus. While the Dutch-made VDL bus did not support OTA updates, the Yutong vehicle demonstrated direct digital access for software updates and diagnostics. This access, facilitated by a Romanian SIM card, theoretically allowed the manufacturer to influence the bus's control systems, including its battery and power supply, and potentially render it inoperable.

Immediate Measures and Future Safeguards

In response to these findings, Ruter has initiated several critical security enhancements. The company has moved to disable web connectivity on its fleet of approximately 850 Yutong electric buses across Norway, including 300 operating in Oslo and Akershus, by removing the onboard SIM cards. Additionally, Ruter is implementing:

• Stricter security requirements for all future procurements.
• Development of proprietary firewalls to ensure local control and protection against hacking.
• Collaboration with national and local authorities to establish clear cybersecurity standards for public transport.

Bernt Reitan Jenssen, CEO of Ruter, stated, 'Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus's data systems.' Ruter also confirmed that vulnerabilities identified in a Chinese software update platform used by Yutong have since been reported and addressed.

Wider Implications and Manufacturer's Stance

The discovery has prompted a broader review of digital safety within Norway's public transport systems. The Norwegian Ministry of Transport and Communications and the National Security Authority have been informed, and the government is assessing risks associated with vehicles built in countries outside Norway's security alliances. The situation has also drawn attention internationally, with authorities in Denmark reportedly reviewing their own fleets of Chinese-made electric buses for similar vulnerabilities.

In response to the reports, Yutong Group has asserted its compliance with applicable laws and regulations in its operating regions. The manufacturer stated that data from its vehicles in the EU is stored at an Amazon Web Services (AWS) datacentre in Frankfurt, Germany, and is used exclusively for vehicle maintenance, optimization, and improvement. Yutong emphasized that this data is protected by encryption and access control measures, and denied that its buses can be remotely accessed or controlled from China.