Transport Canberra Probes Cyber Risks in Chinese Electric Buses

Transport Canberra has launched a new investigation into its fleet of Chinese-made electric buses amid growing cybersecurity concerns. British media have reported that the UK's National Cyber Security Centre and Department for Transport found Yutong electric buses could be remotely shut down from China using a "kill switch". The same issue was flagged by Norwegian transport operator Ruter in November. Yutong electric buses are used widely across Canberra, with the ACT government purchasing 90 vehicles in 2023 as part of its zero-emissions transition plan. The buses are also used in New South Wales and Queensland on a smaller scale. Transport Canberra said it investigated the issue last year and did not discover any security vulnerabilities. "Given the latest observations that have come out of Europe as early as this morning, we have re-engaged with Digital Canberra and will look at that matter again just to assure ourselves and the community that those concerns don't exist." Yutong's Australian distributor, VDI Australia, advised Transport Canberra that buses operating here were different from the model used in Europe. Mr Smith said the Australian buses did not allow "over-the-air" updates from Yutong. "The way the updates are done in Australia, particularly in Canberra and the ACT, is that they're enabled by a mechanic in the workshop," he said. 'Sleepwalking into a larger threat', expert warns Cybersecurity expert Alastair MacGibbon, the chief strategy officer at CyberCX and a former cybersecurity advisor to then-prime minister Malcolm Turnbull, is a vocal critic of Chinese electric vehicle imports. "There is risk — that risk gets greater every single time we add a vehicle on the road that is an electric vehicle manufactured in, and therefore controlled by, a state that doesn't have our best interests at heart," Mr MacGibbon said. "Theoretically, you could degrade the safety features on the bus. "Could you change the way it brakes? Could you turn off the lights at night? Or even perhaps scarier … imagine if the battery was allowed to overfill, get hot and explode. He said steps taken by Transport Canberra "in no way" ameliorated the threats identified in the Yutong buses overseas. "It does not matter if Transport Canberra are the ones who upload the software," he said. "One thing I'll guarantee you is they're not reviewing every line of code, and even if they did, they wouldn't know what that code did. Yutong has long argued that it prioritises vehicle data security and customer privacy and complies with data protection laws. A company spokesperson said in November that Yutong vehicles in Australia "do not support remote control of acceleration, steering, or braking signal". Transport Canberra's Yutong bus fleet will remain in service while investigations continue.