Electric buses serving Britain’s towns and villages could be remotely taken over and deactivated by their Chinese manufacturers in a major security flaw uncovered by The Mail on Sunday.
Yutong vehicles have been purchased by transport networks across the country since 2018, with the overall number operating in Britain believed to stand at more than 2,500.
But security experts last night warned the manufacturer could spontaneously deactivate the buses from China in a ‘major act close to war’.
Any move to do so would likely wreak havoc on Britain’s transport network at a moment’s notice.
The warning comes after transport officials in Norway – where they also use the buses – found Yutong had access to software updates and also the vehicles’ control systems via sim cards placed in the buses.
Authorities in Denmark are also urgently working out how to close the apparent security loophole.
Last night, critics said Yutong’s remote controls could be exploited by the powerful Communist Chinese regime to cause disruption on Britain’s streets.
Steve Tsang, Director of the China Institute at SOAS University, said the security flaw made it possible for ‘Beijing to order Yutong or any Chinese company to remotely immobilise their vehicles’.
Electric buses serving Britain’s towns and villages could be remotely taken over and deactivated by their Chinese manufacturers in a major security flaw uncovered by The Mail on Sunday
He added: ‘It would be a very major act, close to war…but it can happen, and we should not put ourselves in a position that we expose our critical infrastructure to such a risk.
‘If a local authority in the UK is using such vehicles, plans should be put in place to replace them, preferably as quickly as possible.’
Tory MP Alicia Kearns, co-founder of the China Research Group, said the British public would be ‘rightly horrified that over 2,000 buses on our roads can be remotely controlled by Chinese manufacturers’.
She added:‘The Government must recognise the threat and block any further purchases of Yutong buses.
‘There is no part of our economy or society the Chinese Communist Party won’t try to infiltrate, and they will clearly stop at nothing in their attempts to undermine our national security.’
And former Tory party leader Iain Duncan Smith demanded that the government, local councils and bus companies ‘buy buses made in Britain’.
He added: ‘They are going for the cheapest option, but what they are getting is a vehicle set up to spy on us.
‘They are full of IT systems; they act as vehicles collecting data. They are capable of being shut down remotely. We need to start rethinking our whole relationship with China.’
Alarm about the buses was sounded in Norway last week after their public transport authority Ruter announced tests had uncovered Romanian SIM cards hidden inside a new model of Yutong electric buses.
These SIM cards, while designed for software updates and troubleshooting, would allow the manufacturer to deactivate those buses.
The potentially flawed buses are distributed in the UK through Pelican Bus & Coach company.
First Bus and Stagecoach purchased more than 150 Yutong buses each last summer alone, while the Scottish Government’s Transport Scotland has ordered 287 Yutong buses.
Even Sir Keir Starmer and Angela Rayner used Yutongs as their battle buses during Labour’s general election campaign trail.
The China-made vehicles also carry passengers every day on private coaches such as FlixBus, who operate as many as 200 Yutong buses.
A spokesman for Yutong last night insisted the company complied with UK laws.
They said: ‘Yutong fully understands and highly values the public’s concerns regarding vehicle safety and data privacy protection.
‘Yutong always prioritizes vehicle data security and the protection of customer privacy, and fulfils its commitments to cybersecurity management for vehicles and data protection with high standards.
‘Yutong strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate.’
They added: ‘Without customer authorization, no one is allowed to access or operate the system. Yutong vehicles in Europe do not support remote control of acceleration, steering, or braking.
‘All software updates are controlled by Pelican with manual physical access only to the vehicles, with written prior authorisation by customers.’
A spokesman for the McGill’s Group said: ‘Yutong buses within the McGill’s fleet are not capable of remote software updates.’
Gavin Davies, First Bus’ IT Director, said: ‘Cyber security risk is a core element of our procurement process for new electric buses. Ruter’s work in Norway is helpful for wider industry learning, and it’s really encouraging that they are carrying out tests and exploring how security systems can be improved even further.
‘Their expertise in this field, alongside our own robust cyber assessments on all hardware and software, is vital to keeping on top of the latest developments in security.’
A Department for Transport spokesman: ‘We are looking into the case and working closely with the UK’s National Cyber Security Centre (NCSC) to understand the technical basis for the actions taken by the Norwegian and Danish authorities.’
