Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit.
Iam unconvinced this applies only to Yutong buses, or Chinese buses. Any system – say a Tesla – where the update can be done on the fly and over the air can be told to brick the system, no?
yes… Any unmodified “Smart” Device can be shut down or even be bricked from Production Central, through the “Critical Update” route.
It’s always been one of their major flaws and vulnerabilities: If it’s connected to a network, it can be hacked/sabotaged.
And…. “all according to Keikaku” …. See all modern gaming consoles, most modern commercial software, most electric cars, camera doorbells, etc…
What I’m curious about is why those bus companies haven’t spotted that from the start, and insisted on the standard Company Solution for software/update rollouts:
Distribute them from your own central server *after* receiving and checking updates from the manufacturer. And have the buses only listen to that server. IMportant “air”gap you’d want right there..
Of course, the chinese probably would have charged a lot more for those buses, if they were willing to sell them at all if they insisted on that…
See 1st and 2nd Generation Nest thermostats as an example.
If I was a malicious manufacturer I would implement the device with two clocks: one that the user could change (wind forward) and a second that was available to me. Based on that hidden clock my “extra” functionality would only activate after a specific time so lab testing would not help. The first bit of hidden functionality would be to brick itself at some future date. This would be advanced with each update so would never activate unless the bus had ceased getting updates.
My second bit of hidden functionality would be to get round that pesky air gap. This is very trivial to do as being a bus it moves around and can simply connect to an open WiFi along its route.
I two IOT devices and that’s how they work. You don’t send anything to the device, the device asks for things. It goes something like this:-
There isn’t a listener on the device accepting requests.
And I’d bet money that’s also what the Chinese do.
I mean, what’s actually been found here? Someone noticed there’s a sim card, or a web client running on the box?
The people buying and using these things are not the sort of people that have the capability to run security-scans on updates.
They’re *running buses*, they only know how to run buses, and they’re not even aware that a *networked* electric bus isn’t a bus – its another computer on their IT network. A network they’re not even aware they’re supposed to be maintaining.
Also applies to Windows and Apple computers. See Crowdstrike, July last year.
This is a feature, not a bug. You find an error in the software, you can connect to the device and send an update to it. Or improve it.
I don’t believe for one second that they are “urgently studying” this. They just know that will get the press off their back. It’s going to be in a contract, specifications, probably even something about maintaining the SIM card it uses.
British parking meters sent all around the world have this. Various updates, remote disabling for whatever reason. Some organisations rent them. You want to disable them if they don’t pay for their renewal.
“Thomas Rohden, the chair of the Danish China-Critical Society and a regional Social Liberal party councillor, said Denmark has been “way too slow” when it came to dependence on Chinese companies.
“This is a huge problem. We should not be so dependent on a country that has values and ideals so different to Denmark,” Rohden said. He added that at a time when Denmark was trying to increase its resilience amid allegations of hybrid attacks by Russia “it’s not very resilient to be totally dependent on China”.”
There’s a combination of paranoia and protectionism going on here. But it all comes down to cui bono and frankly, racism.
I assume the people of China, like the rest of us, want to get richer. There’s two ways to do that: invade territories and take land, or make a load of electronic shit. Making electronic shit works a lot better. Invading territories probably isn’t worth the blood and treasure nowadays.
There are people trying to sow fear, uncertainty and doubt and I suspect it’s all being backed by companies that want to flog really expensive native stuff that is no more secure than the Chinese stuff.
Do people think the Chinese company, or the Chinese government are going to make a Dr Evil cackle as they shut down the buses in Oslo? What happens next? Who is going to buy another thing from that company? What happens to all those jobs in Shenzen if China goes evil?
Why make trillions when we could make… billions? https://www.youtube.com/watch?v=EzkzCSwhsx8
I’m inclined to agree with you. Denmark FFS! Most people in Europe don’t know where it is. Those who know it exists. Why would the Chinese want to fuck with Denmark?
Are you suggesting that “most people in Europe” are as geographically challenged as Americans? Or are you subtly implying that “most people in Europe” are arrivals from Shitholeistan?
I remember listening to Brain of Things Having to do with Britain on the old BBC World Service and hearing what utter rubbish the alleged brains were when it came to stuff outside the UK. I think my favorite was a question that implied we Americans don’t know what a coffin is. (The question was looking for the word “casket”, which none of the so-called brains got right.)
Europeans in general have also always underestimated the size of the US. What’s the old joke about 100 years being ancient history to Americans and 100 miles being really far away for Europeans?
That’s for the english. 100 miles away for me is lunch. 1h 20m
Europeans are like anyone else. They know their own corner of the world & the further it’s away the less they know about it. I would imaging Germans know about Denmark because there’s a frontier. The Greeks? How good are you at Europe? I have a very short list of European countries I haven’t visited. Could you point to Lichtenstein on a map if wasn’t labelled?
“I would imaging Germans know about Denmark because there’s a frontier.”
But even then, it’s going to be the people in the North. Someone who runs a company in Kiel and has a client in Esbjerg 150 miles away. Someone in Stuttgart might be doing the same thing with Strasbourg, so have good French.
Something that the European integrationists can’t grasp is this difference between UK and other European countries. We have a sea border. There isn’t the same thing. If you’re a business in Maidstone, you might trade with Calais, but it’s really little more hassle to trade with Frankfurt or Amsterdam. It’s why we shifted to services and specialist manufacturing. Not because of Evil Mrs Thatch but because moving low-value goods over a sea border makes you uncompetitive. What ARM and Framestore do has no shipping cost. The cost of shipping a pair of luxury brogues is a tiny percentage on a £500 pair of shoes. And it’s why Britain and Ireland are more global traders. If you’re selling services with no shipping cost, you don’t limit yourself to the EU. You flog pharma or Grand Theft Auto to everyone.
(this is also why Irexit is going to happen. Since Britain left the EU, most of their trade is now outside).
Yep. ‘Urgently studying’ sounds like an oxymoron.
I certainly don’t assume that the people of China want to get richer. You wouldn’t tolerate a socialist government for eight decades if that were your aim.
What works as a system of government is about geography and technology. Like the Danes and the Swiss became democracies much earlier than Spain and Italy. Why are Venezuela not a democracy but Brazil, Argentina and Chile are?
In particular, threats of war (which come from things like having valuable land) leads people more towards socialism, that a large tribe is necessary for security. If you make your money in other ways, like the Swiss, you don’t think that way.
China does not have a socialist government – it has a very capitalist government with significant state control of industry as well as other aspects of life.
I would think China would qualify as fascist.
I’d argue that all anti-fascists would qualify as fascists.
I remember a client in the ’90s who sold software where you were encouraged to subscribe to safety updates. If you didn’t do that within 3 months of buying the software the safety updates became iirelevant, because you didn’t have any software after that…
It’s not just EVs that can be remotely accessed. My petrol-powered BMW is occasionally updated over the mobile phone network.
Any system – say a Tesla – where the update can be done on the fly and over the air can be told to brick the system, no?
Jeep accidentally did this last month to a bunch of their customers in the US. The Crowdstrike thing could happen to anyone, really. Maybe turning everything into an IoT device was a bad idea. My washing machine keeps asking to connect to WiFi (!), what the fuck are we doing
> where the update can be done on the fly and over the air can be told to brick the system, no?
Yep. Even happens unintentionally a lot too – firmware update with a bug that bricks your appliance.
It is entirely normal and sensible for manufacturers to do this, and they would only harm themselves if they did malicious things. And suppose for instance that there was a grand falling out with China – well I am fairly sure that our engineers could get those buses (or whatever) up and running again quickly. Indeed buses would be fairly high priority, higher than private cars and much higher than christmas lights controllers or whatever.
This is a non-story.