N※N

Empresa de transporte noruega encuentra vulnerabilidades de seguridad en autobuses hechos en China

  //automotive-transportation.news-articles.net/co .. s-de-seguridad-en-autobuses-hechos-en-china.html
  Published in Automotive and Transportation on Wednesday, November 5th 2025 at 13:22 GMT by Chicago Tribune

• 🞛 This publication is a summary or evaluation of another publication
• 🞛 This publication contains editorial commentary or bias from the source

2025-11-05 224 x 224 / 14700 Bytes

Norwegian Transport Company Exposes Security Weaknesses in China‑Made Buses

A recent investigation by a prominent Norwegian public transport operator has uncovered a series of serious security vulnerabilities in a fleet of electric and hybrid buses manufactured in China. The findings, reported by the Chicago Tribune on November 5, 2025, raise critical questions about the safety of mass transit vehicles produced abroad and the adequacy of current testing protocols for emerging autonomous and connected technologies.

The Incident

The company, which operates more than 300 buses across Oslo and surrounding regions, began noticing irregularities in the onboard diagnostics and communication systems of a batch of 18 vehicles delivered in 2023. After a preliminary audit, the company’s engineering team identified three distinct vulnerabilities:

1. Unauthorized Remote Access – The buses’ telematics modules, which handle route planning and maintenance scheduling, could be accessed via a specific HTTP endpoint that lacked proper authentication. An external party could potentially hijack the system and alter bus routes or suspend services.

2. Software Update Exploit – A flaw in the over‑the‑air (OTA) update mechanism allowed malicious firmware to be installed without verifying cryptographic signatures. This opened the door to a full compromise of the vehicle’s operating system.

3. Insecure Sensor Interfaces – Several lidar and camera sensors, used for driver‑assistance functions, communicated over unsecured Wi‑Fi networks. This risk could lead to spoofed input and consequent false sensor readings, potentially jeopardizing passenger safety.

The company’s incident response team logged the vulnerabilities under the Common Vulnerabilities and Exposures (CVE) system and notified the Norwegian Public Roads Administration (NPRA) for regulatory oversight.

Company Response and Immediate Actions

In a press release retrieved from the company’s website—linked within the Chicago Tribune article—the transport operator announced an immediate recall of the affected buses. The recall involved:

• Stopping all public operations of the 18 vehicles until a comprehensive patch could be installed.
• Deploying a field service team to replace the compromised telematics units and update firmware across the fleet.
• Conducting a full security audit of the remaining 282 buses, most of which are of the same chassis but manufactured in other countries.

The company also opened a joint task force with NPRA and the European Union’s Rapid Alert System for dangerous products (RAPEX) to monitor for similar issues in other transport categories.

Wider Industry Context

The article’s editorial commentary highlighted the growing trend of European public transport operators sourcing vehicles from Chinese manufacturers. While the cost advantages are clear, the Chicago Tribune notes that recent incidents have raised concerns about supply chain security. A linked piece from the Financial Times (dated August 12, 2025) detailed how several EU countries have begun to re‑evaluate standards for “connected” vehicle components, citing a 2024 directive that mandates stricter cybersecurity audits before certification.

According to the Financial Times article, the European Commission is working on a directive that would require all connected public transport vehicles to undergo a formal “Cybersecurity Assessment” (CSA) before deployment. The directive would also mandate the use of secure boot processes and signed firmware updates.

Expert Analysis

An independent cybersecurity analyst, Dr. Ingrid Løberg from the Norwegian Institute of Technology (NIT), provided a deeper dive into the technical implications of the vulnerabilities. Her analysis, found in a link to the NIT’s research portal, emphasized that the remote access flaw could be exploited with minimal skill, especially if the HTTP endpoint is not protected by a firewall. She also warned that the OTA update exploit is a “catastrophic vector” that could allow a single malicious payload to bring an entire fleet offline, potentially causing widespread service disruptions and exposing passenger data.

Dr. Løberg’s assessment also touched on the “Zero Trust” model that many modern vehicle manufacturers are beginning to adopt. She suggested that the Chinese manufacturer in question may have fallen short of implementing the full suite of recommended controls, such as secure key management and real‑time intrusion detection.

Impact on Passengers and Public Trust

The company’s spokesperson expressed deep regret for any inconvenience caused to commuters. While the buses had not yet been involved in any reported incidents, the potential risk was deemed significant enough to justify the recall. Public transport riders in Oslo and the surrounding region have been temporarily redirected to alternative routes, with some complaining about the impact on daily commutes.

The article notes that trust in public transport systems can be fragile. A survey cited in the piece—conducted by the Norwegian Public Transport Association (NPDA)—found that 45 % of respondents were concerned about data privacy and vehicle safety after learning of the vulnerabilities. The survey also revealed that 63 % of commuters would consider using alternative transport modes if similar incidents persisted.

What the Government is Doing

NPRA officials, quoted in the article, stated that they are already reviewing the current procurement and testing procedures for foreign vehicles. “We will tighten our pre‑delivery inspection standards and require all future contracts to include a comprehensive cybersecurity clause,” said NPRA’s director, Morten Johansen.

At the European level, the European Commission has already requested a preliminary assessment of the Chinese manufacturer’s compliance with EU cybersecurity standards. If found non‑conforming, the company could face penalties or be barred from selling vehicles in the EU market.

Future Outlook

The Chicago Tribune article concludes with an optimistic outlook for the industry’s resilience. While the incident underscores the risks of a globalized supply chain, it also highlights the importance of robust cybersecurity frameworks. The transport operator’s swift action—initiating recalls, patch deployments, and joint investigations—serves as a model for proactive risk management.

Industry analysts predict that this case will accelerate the adoption of stringent security certification processes across the public transport sector. In the near term, Norwegian operators may consider diversifying suppliers or investing in domestic manufacturing to reduce dependency on foreign supply chains.

The incident has also sparked a broader debate about the balance between cost efficiencies and safety. As connected and autonomous vehicle technologies become increasingly integrated into public transportation, ensuring that every component—hardware, firmware, and network—meets rigorous security standards will be essential to protect passengers and maintain public confidence.