Norway reviews cybersecurity after remote-access feature found in Chinese buses

Original Article ↗ Hacker News Discussion ↗

How the hidden connectivity was found

  • Commenters say Norwegian testers used a “Project Lion Cage”-style setup: vehicles taken underground / into a Faraday-like environment with spectrum analyzers to see where they transmit.
  • Romanian SIM cards were physically found; some speculate eSIMs would be harder to spot physically but still discoverable via RF testing.

Capabilities and risk of remote access

  • The undisclosed connection allowed: software updates, diagnostics, and control of battery/power systems; test team concluded buses could be remotely stopped or bricked.
  • Several note: bricking via OTA is trivial; making OTA safe and reliable is the hard part.
  • Others worry about more extreme scenarios (e.g., overheating batteries, coordinated shutdowns), though some think safety hardware and physical fuses limit worst‑case outcomes.

“This is normal” vs “this is different”

  • One side: essentially all modern vehicles have SIMs, telemetry, OTA updates; John Deere, Tesla, eCall, etc. Already remotely updatable or disable‑able in practice.
  • Other side: these SIMs were not disclosed in procurement; this is far beyond simple diagnostics and not “standard” for road vehicles, especially for critical infrastructure.
  • Disagreement over how many cars/buses are truly “fully remotely controllable” versus just updatable.

Broader cybersecurity and IoT concerns

  • References to Polish trains with anti‑repair geofencing and GPS “kill codes”; car hacking research; worries about a future worm (Petya‑class) hitting huge IoT and vehicle fleets.
  • People highlight similar or worse backdoors in Western tech (motherboards, routers, smart home gear, hospital devices) and note that if your transport is online, it can in principle be hacked.

China, politics, and procurement strategy

  • Split between those seeing justified national‑security concerns (Chinese state‑linked firms, ability to disrupt logistics in war) and those seeing trade‑war FUD and selective outrage.
  • Extended debate about EU blocking a big European train merger vs fear of a dominant Chinese rail/bus supplier; tension between antitrust, corruption in tenders, and security‑driven protectionism.
  • Some advocate outright excluding Chinese vendors from critical contracts or imposing tariffs; others prefer stricter software/audit rules applied to all suppliers.

Why buses are online & proposed mitigations

  • Practical reasons cited: live location tracking, accurate arrival times, remote CCTV viewing, diagnostics, and OTA maintenance.
  • Proposals include: mandatory source disclosure to regulators with reproducible builds, third‑party audits, and ripping out opaque “black box” controllers where trust is impossible—while others note you can’t truly prove the absence of backdoors.