Security agencies have raised serious concerns over Chinese-made electric buses operating across Australia, after it was revealed they contain a remote 'kill switch' that could be activated by the manufacturer from China.
Security Fears Over Remote Access
According to a report in The Telegraph, Britain's National Cyber Security Centre and the Department for Transport identified that Yutong-branded electric buses could be remotely shut down. The feature, linked to SIM cards used for software updates, has sparked fears that Chinese security services could potentially intervene.
While there is no evidence that the 'kill switch' has ever been used in Australia, authorities in Denmark and Norway have expressed similar worries. In November, Norwegian transport operator Ruter confirmed that the Yutong Group had access to the buses' control systems for diagnostics and updates, stating that 'in theory, this could be exploited to affect the bus.'
Scale of Australian Fleet and Official Responses
Yutong has sent more than 1,500 vehicles to Australia since 2012. The current fleet includes 90 battery-electric buses ordered by the ACT in 2023, 26 operating in New South Wales, and four in Queensland, with South Australia conducting a trial.
Alastair MacGibbon, chief strategy officer at cybersecurity firm CyberCX, told the Australian Financial Review that these Chinese-made vehicles inherently carry security risks. 'Confidentiality in a Chinese-made vehicle does not exist,' he warned, noting that internet-connected vehicles have cameras and microphones that the manufacturer could access.
A spokesperson for the Australian distributor, Vehicle Dealers International, insisted the model tested in Norway is not used locally. They stated that vehicles are prepared to Australian requirements, with customer-authorised access, and that there is no remote control of acceleration, steering, or braking. Any operational changes are done in person with operator authorisation.
Government and Manufacturer Stance
Transport for NSW said there is no evidence its fleet can be remotely disabled, but the reports are part of active risk assessments. Transport Canberra confirmed it has disabled over-the-air updates, performing all software updates itself.
In a statement, Yutong said data from its Australian vehicles is stored at an AWS data centre in Sydney and is used solely for maintenance and optimisation. The company claims all data is encrypted and protected with strict access controls.
Despite these assurances, the revelation has ignited a debate about the cybersecurity of critical national infrastructure and the reliance on foreign-made technology for public transport.
