November 9, 2025
Chinese-made Yutong electric buses are at the centre of growing cybersecurity concerns in Australia after tests in Norway revealed potential vulnerabilities in the vehicles’ control systems.
The Norwegian public transport operator Ruter found that Yutong, the Chinese manufacturer, could remotely access certain software systems during diagnostics and updates — raising questions about data security, remote control potential, and foreign access risks.
Since the same company has supplied over a thousand buses for Australian use, experts are urging greater scrutiny over imported smart transport systems and the data they collect.
“If remote connectivity can alter or disable a vehicle, that becomes a national security issue, not just a technical one,” said Alastair MacGibbon, Chief Strategy Officer at CyberCX and former head of the Australian Cyber Security Centre.
Norway Cybersecurity Findings
Norway’s Ruter conducted controlled tests earlier this year to evaluate vulnerabilities in Yutong’s over-the-air update system.
The investigation discovered that the buses’ digital control system allowed external access for software updates and diagnostics — theoretically enabling a remote shutdown.
Tests were conducted in a sealed environment, a disused mountain mine, to avoid external interference.
The analysis also compared Yutong’s E-series bus with a European VDL model. The Yutong bus showed higher exposure risk because it supports wireless updates, whereas the VDL does not.
In response, Norway announced plans to strengthen anti-hacking measures and restrict external access to its public transport fleets.
Australian Situation
Australia has seen a steady rise in Yutong’s footprint.
Since 2012, Yutong Australia has delivered more than 1,500 vehicles, of which approximately 145 are battery-electric.
The Australian distributor, VDI, stated that local practice involves manual, on-site software updates — not remote access.
All operational data is stored via Amazon Web Services (AWS) data centres in Sydney, with strict adherence to Australian privacy and data protection laws.
Yutong buses currently serve routes in Canberra, Sydney, Brisbane, and Perth, with new electric models being trialled under the ACT Government’s 2024 electrification program.
Expert Reactions & Cybersecurity Context
CyberCX’s Alastair MacGibbon cautions that connected vehicles — regardless of their country of origin — pose inherent risks due to their constant connectivity to manufacturers’ servers.
“Electric and connected vehicles must stay online for diagnostics, firmware updates, and performance monitoring. That connection is both a strength and a weakness,” he explained.
However, MacGibbon emphasized the added complexity when data links lead to companies under foreign state influence, such as China’s CCP oversight of domestic corporations.
“This is not about the bus being made in China — it’s about who controls the data and infrastructure behind it,” he said.
A Defence Department spokesperson reaffirmed that Australia uses a layered approach to protect critical infrastructure, including Defence estates, involving personnel, military police, and cybersecurity contractors.
Yutong’s Response
Yutong Australia has rejected the implication that its vehicles in Australia are vulnerable to remote interference.
“No one is allowed to unlawfully access or view the data without customer authorisation,” a company spokesperson said.
The company insists that its Australian fleet does not support remote control of acceleration, steering, or braking.
All collected data is strictly operational — such as energy use, location, and performance — and transmitted securely through local mobile networks to AWS Sydney.
Yutong added that it “strictly complies with Australian data protection laws and regulations.”
Broader Cybersecurity Concerns
Dr. Dennis Desmond, a cybersecurity lecturer at the University of the Sunshine Coast and former FBI special agent, warned that these cases highlight deeper national security implications.
“Until we know what data is collected, how it’s transmitted, and who can access it, we can’t accurately assess the risk,” he said.
Desmond argues that all imported smart or connected devices — not just vehicles — should undergo independent cybersecurity evaluation before deployment in sensitive sectors like government, transport, or defence.
He added that the issue extends beyond China:
“Australians rely heavily on foreign manufacturers for smart devices, often unaware of how their data could be collected or exploited.”
Policy & Global Context
The United States government has already moved to restrict Chinese-made vehicles from its markets, citing security risks.
Australia has not yet implemented equivalent restrictions, but policy discussions are emerging around mandatory testing and certification for Internet-of-Things (IoT) devices and imported smart systems.
Experts from Monash University and CSIRO have urged a national cybersecurity framework for connected transport, including testing for over-the-air vulnerabilities and supply-chain data risks.
