What began as a harmless ‘film shoot’ in a disused Norwegian mine has now grown into an international ‘cyberbus thriller’ that has put the world’s largest bus manufacturer, the Zhengzhou-based private company Yutong Bus Co. Ltd., on the defensive. On 28 October, Norway’s largest transport company, Ruter AS, which provides public transport services to the capital Oslo and large parts of the surrounding area, conducted the results of a so-called ‘Lion’s Cage Test’ on the cyber security of its buses, had the test accompanied and published by the daily newspaper Aftenposten, and at the same time reported the results to the norwegian Ministry of Transport. The report was immediately picked up across Europe, and at least in Denmark and the United Kingdom, major transport companies have announced their own investigations. According to Yutong, Ruter only communicated with the manufacturer upon request and did so very hesitantly. Our list of questions to Ruter AS has also remained unanswered for more than a week until now.
Two buses from the company’s own fleet were tested (according to Aftenposten, Ruter operates around 300 Yutong buses). In 2025, a total of over 400 Chinese-brand buses were registered in Norway, around 220 in Denmark and almost 900 in the UK (up to Q3/25, source: DVV Media). However, one of the two ‘test vehicles’ was only allowed to play the sad cameo role: a three-year-old VDL bus of an unspecified type, without any further online capabilities. The test report, which is freely available on the internet, succinctly states: “The Dutch buses from VDL do not have the capability for autonomous software updates Over The Air (OTA). Therefore, they are not that interesting.‘ There is no mention of why a modern European bus from one of the major manufacturers, which should have at least some online capabilities, even if not the same as the Yutong, whose ’Link+‘ telematics system had just won a `Digital Award´ at Busworld in Brussels, was not used as a reference. As in the passenger car sector, Chinese vehicle manufacturers have digitised extremely quickly in order to compensate for the still somewhat sparse service network in Europe.
Clandestine `Lion’s Gate Test´ with uncomparable vehicles
During testing, serious safety deficiencies were allegedly identified in the Yutong bus because a SIM card allowed online access to the bus at any time. ‘Theoretically, this bus can be stopped or taken out of service by the manufacturer,’ said Ruter AS. Various media outlets in Norway, Denmark and the United Kingdom are therefore referring to a ‘kill switch’ by the Chinese. Aftenposten even uses the term ‘national security’, which may be at risk.
In addition, there is a alleged security vulnerability in the software of a Yutong supplier that is required for the ‘Over the Air’ (OTA) software update. According to the test report online, Ruter is already ‘implementing concrete measures’ following the tests. These include: “Imposing even stricter security requirements for future procurements; the development of firewalls that ensure local control and protect against hacking; Collaborating with national and local authorities on clear cybersecurity requirements.‘ Particularly interesting is the statement that the company now wants to exploit a `technological window of opportunity before the next generation of buses becomes more integrated and harder to secure.´ This can really only be insinuating to preventing European manufacturers from catching up with the Chinese in terms of digitalisation, that is at least five years ahead.
Yutong counters the grave cybersecurity allegations
The manufacturer Yutong, which was not involved by the Norwegians before, during or after the test, has issued two official statements strongly refuting Ruter AS’s claims. ‘
Yutong always prioritizes vehicle data security and customer privacy protection, and fulfills its commitments to cybersecurity management for vehicles and data protection with high standards,’ states the two-page, very detailed document. The data from the vehicles is hosted on an AWS (Amazon Web Services) server in Frankfurt am Main and would be only processed or forwarded with the full consent of the customer. They go on: “Yutong’s OTA system is certified under UN R156 Software Upgrade and Software Upgrade Management System. During each software upgrade, Yutong first sends a notification to the customers with clear upgrade details. The upgrade proceeds only after customers fully understand and confirm their consent.“ The second statement, published in conjunction with UK importer Pelican, also states: “For customers who may still have concerns, it is possible to disable all telematics functions by turning off the power supply to the connected device or by removing the SIM card. Disabling telematics functions will not affect the normal operation of the vehicle.“
All relevant driving systems such as the accelerator pedal, steering, brakes and emergency braking system ‘are controlled entirely by the driver and are not influenced or affected by any external signals or commands.’ This is standard technology throughout the automotive industry and completely legal. Perhaps that is the reason why Ruter CEO Bernt Reitan Jenssen told Aftenposten bluntly: ‘We wanted to move from speculation to findings. And I have to say that the results are not as bad as I had feared.’
Hidden script behind the Cyperbus-Gate?
In Norway, Ruter currently has no tenders pending they say, that could be affected. But in London, Yutong is offering its new electric double-decker bus in a tender – the first prototype was on display at Busworld in front of the entrance hall. Also in Germany, the manufacturer says, it is about to enter the market. An indication of the actual reason for the unusually hostile action against its own supplier was already given at `Busworld Europe´ in Brussels on October 7, when Ruter CEO Jenssen used a high-level panel discussion organised by his company to take a clear stance on bus safety together with the newly re-elected Norwegian Minister of Transport Jon-Ivar Nygård (social democratic ‘Arbeiderpartiet’). In the medium term the aim would be to influence ‘the UNECE committee responsible for safety issues via the EU,’ but this could take some time, so Nygård. Until then, it would be very important, that transport companies in the individual markets ‘include their own, stricter safety requirements in their tenders.’ Could this be the real script for the norwegian `Cyberbus-Gate´?
Thorsten Wagner (MBA)
