Norway Reviews Cybersecurity After Remote-Access Feature Found in Chinese Buses
Postedabout 2 months agoActiveabout 2 months ago
scandasia.comTechstoryHigh profile
heatednegative
Debate
80/100
CybersecurityChinese TechnologyPublic Transportation
Key topics
Cybersecurity
Chinese Technology
Public Transportation
Norway reviews cybersecurity after discovering a hidden remote-access feature in Chinese electric buses, sparking concerns about potential vulnerabilities and espionage.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
N/A
Peak period
120
0-6h
Avg / period
17.8
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Nov 5, 2025 at 11:18 AM EST
about 2 months ago
Step 01 - 02First comment
Nov 5, 2025 at 11:18 AM EST
0s after posting
Step 02 - 03Peak activity
120 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 7, 2025 at 2:36 PM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45824658Type: storyLast synced: 11/20/2025, 8:28:07 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
BYD electric busses have recently rolled out where I live in Sweden.
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
Press release (Norwegian): https://www.mynewsdesk.com/no/ruter/pressreleases/ruter-tar-...
And that's what they did. If that was necessary for the conclusions is not said in the article. Only that the remote access could
The conclusion by the team was that the buses can be remotely stopped or bricked by the manufacturer.Not putting this information in the fine print is fraudulent behaviour
Hm? Not a single bus on the road in my city can be turned off remotely. There's never been one ever, since bus transport started. So why should, no, must, that be a feature of new buses?
And when I said "Not a single bus on the road in my city can be turned off remotely", that's the truth. They can't. They're all diesel, so there's not even a remote possibility of a hidden esim-powered switch.
Why did the post I replied to claim that it must be possible for buses? And why did you assume that I meant something else, and that all buses are electric?
Edit: Typo
Do you imagine some benevolent authority sits in your town with a finger on the kill switch for every vehicle in motion?
If it were in the specs from the beginning, there would be no issue. This isn't a "click here to accept" thing; multiple people scan the technical data in these projects.
Every road vehicle sold today has a sim card, most for diagnostics, some for remote control.
Even you admit that most of them aren't for remote control, so what are you agreeing with?
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
Here, an article (from June 2025) about Chinese buses full of cameras and other sensors driven regularly inside secret Norwegian army bases. Those buses are to be used during a war or a crisis.
I’m arguing that crippled antitrust and anti-consumer practices are part of the problem that led to Chinese buses full of cameras being deployed in western countries.
I’ll go a step further and claim DMCA, anti-reverse engineering and other copyright-protection policies have further crippled the ability of the west to detect and prevent such foreign tech influence.
See: https://cyberdefence24.pl/cyberbezpieczenstwo/blokady-w-poci...
By tecchies.
That’s like adding “In Mice,” to headlines of biological breakthroughs.
It’s quite clear that a fairly significant majority of customers don’t hate Apple. They aren’t “brand slaves,” like Harley riders (anymore), but people clearly vote with their wallets.
Microsoft always had the “My work requires it” thing going, but only a couple of industries are majority Apple.
Like it or not, people pay personal money for Apple kit, and they are a demographic that marketers drool over.
It's all the other stuff made in China that is the worry, not the stuff designed by Apple, or Google.
- https://www.theregister.com/2021/02/12/supermicro_bloomberg_... - https://www.wired.com/story/gigabyte-motherboard-firmware-ba...
Soooo, yeah.
And those buses stink like inside of a plastic factory. Never been to a plastic factory, but rode these buses. And the smell is strong even a year into use. Makes you wonder if China has same rules for carcinogenic plastic in consumer goods.
For context, for a short while I wrote SW for auto BCM's albeit the security stuff not the drive your batteries stuff.
Speed 3: The 'Net Unleashed with Keanu Reeves and Sandra Bullock needs to happen and should be about an EV bus held hostage by ransomware.
Personally, I'd like to skip over all of the buildup and go straight to hoverboard mafia pizza delivery.
I need to re-read that book, one of my all time favourites.
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
God?
The ones at the top, assuming they're not asleep/drunk at the wheel/there at all, don't have to do much. The machine operates itself.
Here in the US, all of our vehicles have SIM cards and they have for decades. They sent off God knows what data, to God knows who, and they remotely receive commands, too. Could you car be hacked? If it was, would you ever be able to find out? Both of those questions are not easy to answer.
Really, ALL of our tech works this way. That Android phone? It has countless binary blobs doing who-knows-what. It runs proprietary code at ring 0, and has access to the cellular bands. If it was compromised, you wouldn't know, especially if the attack was targeted. The people making the software and hardware are already "exploiting" it right now - mostly to gather data for advertising, ostensibly. But how do you know these systems are secure? We're talking millions of lines of C code, interfacing directly with the hardware, running at maximum privileges, written by people you don't know, which cannot be audited.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
Civilian transportation has numerous vital roles in supporting a nation during a war.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make the resulting giant less so, but the contrary, it'll be even more inefficient and uncompetitive, and then expect government bailouts because now they're too big to fail.
If you believe it, the "I know they are bad" -> "but we need to complete with the boogie man" -> "we need to build our own monopoly" argument is just confusing. So we should make worse products to be competitive?
If you don't believe it, you should be explaining why monopolies make better products, not arguing that desperate times call for desperate abandonment of logic.
The things you see in EU public tenders is just amazing, especially when they's little to no competition.
Can you give examples of what you (obviously, since you're commenting) have seen, and how typical it is?
Hitchen's Razor.
"Everyone knows" is always a dangerous place to stand in any argument.
People employed there optimize for winning them (at any cost - quid-pro-quo agreements aren't rare in my experience). It's common for several such companies to collude in a way that they get awarded the tenders in a circle ("I get this one, next one is for you.")
Afterwards, they outsource the work to the cheapest lowest bidder (usually IT studends in the cases I've seen for software development, but essentially they'll be bottom of the barrel juniors). The quality of such products is about the same as the quality of any outsourced product which is built only to satisfy a checklist at the end. The US equivalent of that would be a corporation getting a defense contract and then basically have everything built by the cheapest outsourcer in India or similar location. Funny enough, university labs (or spinoffs) tend to be major part of this ecosystem, using grad students as workforce - their credentials tend to give them legitimacy over smaller companies.
The results are as disastrous as you can expect - companies a HNer could expect to win usually don't (due to lack of specialized knowledge on how to game the tender process, lack of connections and cost) and those that do are really there to do the bare minimum, shed the work as much as possible and deliver something they can't get sued over.
It's also not uncommon to see whole chains of such companies - the winner sometimes shares some outsourcing work with "losers" they outsource work further, skimming the funds on top and essentially outsourcing everything to the cheapest engineer they can find.
Dealing with any public EU project has been nothing but misery for me personally (as you can imagine from this post :) and this environment bred some of the most toxic workplaces I've worked with. The products were universally terrible and rarely actually useful for the purpose.
As much as I want independent EU software ecosystem, I don't think using public funding can breed anything but more corruption.
If you fail to take into account that you get into a broken world view of false equivalences.
I mean, if you’re at a place that uses staff aug and managing a project it’s just something you have to watch out from your vendors as table stakes. Whenever a new vendor was hired my fellow low level managers would be making bets on how long before they switched out their best guys with some fresh out of college junior that they’d give a fancy title to.
Well, you described what happens when you outsource everything.
Governments used to ... gasp ... employ people to do tasks so that you didn't have to outsource every single piddly task. And since those employees could do the tasks, there was a floor such that selecting nobody and doing it in house was always an option.
Yes, that has different failure modes. However, you have more levers over those failure modes as opposed to a single lever of "Head to court and try to win a legal case."
You create a political class full of lawyers, and you get a country where lawyers thrive, who would have thought?
https://academic.oup.com/yel/article/doi/10.1093/yel/yeac009...
It's really confusing that the EU don't consider this "dumping". I thought that was this big thing that they cared about.
And that competitive advantage could presumably give them more scale?
Who the fuck invented that logic of "those companies prices are too high, we have to let them consolidate into a monopoly so they lower their prices"?
China turning off your transportation is.
Your second sentence is quite a jump, however: "It won't be as big, so there's no point in trying to compete at all."
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
[1]https://www.railwaygazette.com/infrastructure/china-railway-...
[2]https://www.politico.eu/newsletter/brussels-playbook/vestage...
> ...acknowledging mistakes made in the past "
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
I do agree that the global market is causing quite some trouble, although that could be avoided by most (all?) countries being nice to each other. Or even excellent to each other!
That still would come at a hefty price for china as that means no or way lower income for quite a lot of chinese companies and people.
I that regard I guess the anti-monopoly law is working ?
The remark stands as yet another regrettable instance of history echoing itself – a lamentable parallel to that uttered by Sir Claude Maxwell MacDonald, whose acquisition of a 99-year lease over the New Territories of Hong Kong on behalf of the British Crown from the Qing dynasty was justified with the breathtakingly short-sighted assertion that it was «as good as forever».
One observes, with increasing weariness, that politicians – regardless of generation or supposed pedigree – remain obstinately immune to the most elementary of truths: history is neither linear nor predictable. It twists, recoils, and devours the complacent. Political decision-making, therefore, ought never be entrusted to those governed by the ephemeral whims of populism – it demands the discipline, foresight, and cold precision of a strategist trained not merely to react, but to foresee. Alas – such minds are in tragically short supply.
My sense is that conspiracy theorists are essentially a cron job crying "Wolf!" every 60 seconds. The occasional real-world wolf does not justify paying any attention to the alarms. OTOH, it's a false dichotomy to believe that the false alarms prove the non-existence of wolves.
Just like someone has the capability to do with virtually everything we have running software.
The two train companies that couldn't merge can still make trains, and still sell them to whomever they want. European purchasers can still buy them. And after reading articles like this one, these two companies have a big competitive advantage: they don't include Chinese backdoors. Maybe they're small now, but if the Chinese train/bus/etc. manufacturing companies end up being blacklisted in the EU, these two companies will grow. And, better yet, there will still be some healthy competition in the space.
I'd like to post some questions for thought:
1. What is exactly the bidding process of that particular transaction the OP described?
2. What is exactly in the contract? Does it force the Chinese company to use a lot of local companies for sub-contracting, at the same time keeping a very low profit? In essence, this basically means the EU companies grabbed the biggest share while the Chinese company just got the job. I'm not saying this is the case, but I highly doubt it IS the case as I heard similar stories from other companies.
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
Poland put out a separate bid for manufacturing and servicing of their locomotives and one company won the manufacturing bid while another won the servicing bid.
The servicing company was unable to get the trains into working order and after hiring hackers accused the manufactoring company of bricking the software on purpose by including geo-fences where the trains would no longer work after arriving at the servicing company's property.
Perhaps the interesting part to me was Dragon Sector's (the hackers) claims that the software needs to be blessed so although they discovered problems they never changed anything because they don't have the authority to bless it and heavily imply that the fact that the manufactoring company is changing the software at will is illegal.
The changes by the manufactoring company had an (undisclosed) activation sequence added to it so you didn't need to modify the software in order to get the train working so the servicing company never actually modified the software.
https://www.youtube.com/watch?v=XrlrbfGZo2k
https://www.ifixit.com/News/112008/polish-train-maker-is-sui...
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
You can write whatever you want into a contract, but if you have no way to validate it, it's meaningless.
Also, the state-owned (and subsidized) Chinese company that doesn't have to play by the West's antitrust rules doesn't need to worry about your "contagion" concerns.
3rd party audit like everything else?
I'm not talking about checking a compliance box, I'm talking about actually confirming no backdoor exists.
So what's the point of a regulation that can't be enforced?
Ok.
Go complain somewhere else because this discussion is not productive.
> EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones
That seems like a problem that can be fixed, given the political will to do so.
This will probably get fixed with software audits necessary for compliance under the NIS2 directive. The EU fixed the problem with more regulation and bureaucracy, ensuring that only the big boys can comply. Protect us from China by becoming China?
"A slap in the face is more effective than ten lectures. It makes you understand very quickly." —Leopold van Sacher-Masoch
Siemens received the slap in the form of Stuxnet. Industrial controls and transport are not the same business unit, but enough of the message got around internally.
I firmly believe Alstom would not be making such garbage today, at least not from a cybersecurity perspective, had this merger gone ahead. And, let's say, I know quite well exactly what type of hot garbage they unfortunately continue to make.
It's a shame.
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
Danish authorities in rush to close security loophole in Chinese electric buses
https://www.theguardian.com/world/2025/nov/05/danish-authori...
67 more comments available on Hacker News