Australia’s government is investigating whether a brand of Chinese-made electric buses on the streets of its major cities pose a national security risk.
Since 2023, Australia has started slowly investing in electric-powered public buses. According to the sole distributor of those buses — a small Aussie company called Vehicle Dealers International (VDI) — there are 133 electric city buses and 12 electric charter or coach buses in the country today. All of them are manufactured by Yutong Bus, based in Zhengzhou, China.
Australia’s transition to Yutong hasn’t been without controversy. Last year, the government felt compelled to investigate whether Yutong’s buses were made with batteries built by Uyghur slaves. Now, slavery aside, the public transport authority in Canberra is investigating whether its buses pose a risk to national security. In particular — though, of course, not overtly stated by Transport Canberra — is the concern that these buses possess a “kill switch” China’s government could theoretically trigger in times of crisis.
The reality is more complicated than that. The researchers who unwittingly triggered this new Red Scare shared a detailed report with Dark Reading, before its release to the public. In it, they reveal that these buses do possess some serious cyber-risks, but none uncharacteristic of any other modern, connected technologies.
Why Everyone’s Worried About Chinese Buses
Last year, researchers with Ruter, the public transport authority in Oslo, Norway, drove two electric buses into a decommissioned mine inside of a mountain.
One was a Dutch model from 2021. The other was a Yutong. Their goal was to pick apart the passenger buses riding around their country and assess their potential risks without any possible signal interference in the way. They also tested the Yutong model in a normal operational environment.
In the fall, Ruter issued a high-level overview of its findings. Most notably, it explained that because Yutong maintains an over-the-air (OTA) connection with its buses, theoretically, it could shut them down at its discretion. Ruter reported its findings to national and local authorities, and recommended some stricter requirements around securing foreign-procured buses.
This research appears to have set off a domino effect of panic. The Danish government began an investigation into its own Yutong buses, then the UK government followed, and now Australia.
What’s Actually True About Yutong
Dark Reading has obtained a copy of Ruter’s full, as yet unpublished, report on the abandoned mine tests.
The researchers found that Yutong’s control system interfaces directly with the Web, allowing the manufacturer remote access to the Controller Area Network (CAN) bus that controls driving systems, among other components of the vehicle. CAN technology lacks authentication and encryption, they wrote, so aside from the manufacturer’s privileged connection, the vehicles are also vulnerable to crippling attacks from Internet hackers.
Ruter also found that the Yutong’s power management and battery are accessible via a mobile network connection. In theory, a readymade entry point into the vehicle’s power systems could be conceived of as a kill switch. They also noted that Yutong’s software update platform previously contained vulnerabilities, which have since been fixed, but that those issues reflected a lack of sufficient cybersecurity diligence.
The researchers described how, in theory, the buses could be vulnerable to remote hacking, corrupted software updates, nation-state attacks, and more. However, they highlighted no purpose-built Chinese kill switch, and no invasive data collection systems — in short, nothing one could construe as expressly malicious or uniquely risky.
Are Australia’s Buses Different?
In response to security concerns over its fleet, a VDI spokesperson told Australian reporters that although Yutong vehicles allow for OTA updates, “VDI’s practice in Australia is to perform vehicle software updates physically at our authorised service centres, with customer consent — not remotely.” A representative of Transport Canberra told the Australian Broadcasting Corporation (ABC) on Jan. 20 that Australia’s buses do not allow OTA updates at all.
Either way, this doesn’t mean that the manufacturer has zero live connectivity to, and control over, its fleet in Australia. To assuage concerns further, a Yutong spokesperson informed ABC that “it is possible to disable all telematics functions by turning off the power supply to the connected device or by removing the SIM card. Disabling telematics functions will not affect the normal operation of the vehicle.”
“The concerns in the report reflect well-documented risks inherent to connected vehicles and the Internet of things (IoT) in general,” says Bugcrowd founder Casey Ellis. More so than any doomsday scenarios, he adds, the threats to these buses “are more likely to be stuff like data exfiltration and surveillance, ransomware deployment, or broader compromise in the context of the overall fleet. Dramatic remote takeovers or physical effects are far less likely because of how modern vehicle internal networks are designed, but they aren’t out of the question.”
What Governments Should Do About Chinese Tech
Even if Yutongs are exactly as advertised, connectivity into China may be reason enough to evaluate their risk to national interests. China’s 2017 Cybersecurity and National Intelligence Laws afford the Chinese Communist Party (CCP) broad legal grounds to enlist any domestic company in any foreign intelligence-gathering or wartime pursuits.
Ellis explains that, as a near-ish neighbor, “Australia has a huge exposure to Chinese technology across electric vehicles, solar infrastructure, telecommunications equipment, critical manufacturing supply chains, and consumer electronics. Public transport, renewable energy systems, and defense-adjacent operations all incorporate Chinese-manufactured components, and ‘phone-home’ functionality is very common.”
Any risk to buses, then, is a minor part of a bigger, scarier picture. At the same time, preemptively banning or even scaling back Chinese technology carries potentially unnecessary economic and political consequences. “Personally, I believe that wholesale equipment removal, as seen in some European jurisdictions, remains unlikely because of the costs and effort involved, but the general direction of caution and maintenance of sovereignty is an important one,” Ellis says. As of the time of publication, Yutong buses remain active in Australia’s cities.
Ellis thinks, “The political approach acknowledges risks without full decoupling to avoid market disruption. Expanded audits will precede any outright bans, unless of course a significant security incident changes the math.”
