Chinese Electric Buses Trigger Cybersecurity Alarm Across Europe

China’s reach into critical infrastructure threatens to disrupt Europeans’ daily commute. On November 19, The Wall Street Journal reported that the Oslo transportation authority, working in conjunction with Norwegian officials, discovered that the city’s Chinese-manufactured buses could be remotely disabled via a software vulnerability. Following the Norwegian study, both United Kingdom and Danish authorities announced their own investigations into their bus fleets.

The discovery, which follows earlier warnings over the presence of possible backdoors to Chinese-built devices embedded within European infrastructure, highlights Beijing’s unprecedented access to allied critical infrastructure.

Norway’s Test Proves Chinese Buses Could Be Disabled Remotely

In seeking to pinpoint the vulnerability, Oslo’s transit agency, Ruter, drove both a newly purchased Chinese-made Yutong bus and an older Dutch transit bus deep into a decommissioned mine to eliminate external signals. Once parked away from potential interference, Norwegian cybersecurity experts demonstrated that the Yutong bus’s battery and power systems, which can receive updates over the air, would theoretically allow the manufacturer to disable the vehicle remotely. In contrast, the older Dutch-made bus had no over-the-air update capability, preventing malicious actors from using external access points to sabotage its systems.

Yutong, which is based in Zhengzhou, is the world’s largest bus maker and a major Chinese exporter. The firm has delivered more than 260 buses to Denmark and is providing fleets to France, Italy, and Norway; it also holds major market share within three members of the “Five Eyes” intelligence-sharing network: Australia, New Zealand, and the United Kingdom. The firm’s chairman, Tang Yuxiang, is the secretary of the firm’s Party Committee, which serves to enforce the Chinese Communist Party’s control over the company’s activities.

China’s Cyber-Penetration Campaign Has Increasingly Targeted Europe

Over the past several years, China has escalated its efforts to pre-position vulnerabilities within European critical infrastructure, which include installing software and hardware back doors into commercial products. While China’s “Volt Typhoon” cyber campaign has primarily targeted U.S. networks, Britain’s National Cyber Security Centre has issued warnings over the campaign’s possible presence within Europe, while security authorities across the continent have publicly acknowledged that their telecommunications networks were struck by “Salt Typhoon,” another Chinese cyberattack. 

European critical infrastructure operators have also been targeted via hardware backdoors, including Chinese-made solar cell inverters — devices that attach solar panels to the electrical grid — that contained undocumented cellular radios, a flaw that could have allowed Chinese firms to sabotage the cells once installed. Coupled with Chinese state-aligned academics’ growing interest in identifying means to cause blackouts across European energy grids, many of which are already strained, the presence of these inverters highlights Beijing’s growing capacity to infiltrate and sabotage key European systems.

The U.S. and EU Should Coordinate Response to Aggressors’ Infiltration

The United States and Europe should work together to prevent Chinese infiltration of critical infrastructure using a combination of harmonized enforcement mechanisms and funding directed towards securing critical infrastructure. Along with finalizing more stringent procurement laws, the European Union should copy the U.S. Federal Communication Commission’s efforts to prevent Chinese firms from installing vulnerabilities within their products. It is particularly important to withdraw support for Chinese equipment testing labs connected to Beijing, as the labs would have every incentive to ignore any vulnerabilities found.

Moreover, both the United States and the EU, alongside NATO, must invest in hardening the continent’s critical infrastructure, particularly systems critical for military mobility, some of which have already been targeted by Russia. This requires both directed investment from NATO member states as part of their overall defense spending and expanded efforts by agencies such as the U.S. National Institute of Standards and Technology to share intelligence on software and hardware vulnerabilities. 

Jack Burnham is a senior research analyst in the China Program at the Foundation for Defense of Democracies (FDD), where Duncan Lazarow is an intern. For more analysis from Jack and FDD, please subscribe HERE. Follow Jack on X @JackBurnham802. Follow FDD on X @FDD. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.