Cybersecurity Alarm Over Chinese Electric Buses on Australian Roads

Concerns are growing over Chinese-made Yutong electric buses operating in Australia, after Norway and Denmark raised red flags about potential cybersecurity vulnerabilities in similar models.

Norwegian operator Ruter recently conducted tests revealing that Yutong Group had remote access to its buses’ control systems for diagnostics and software updates — theoretically allowing the manufacturer to shut down or manipulate the vehicle remotely.

Australia Uses the Same Manufacturer’s Buses

Yutong, one of the world’s largest electric bus makers, has supplied over 1,500 vehicles to Australia since 2012, according to its local distributor VDI Australia. Of these, around 133 are low-floor city buses and about a dozen are electric charter coaches.

VDI clarified that in Australia, software updates are carried out physically at service centres rather than remotely, unlike in Europe. A Yutong spokesperson also stated that the bus model under review in Norway is not the same as those operating in Australia.

Experts Warn of Broader ‘Connected Vehicle’ Risks

Despite assurances, cybersecurity specialists argue the risks go beyond any single model. Alastair MacGibbon, Chief Strategy Officer at CyberCX and former head of the Australian Cyber Security Centre, said all connected vehicles — especially electric ones — inherently pose risks due to their reliance on cloud connectivity for updates and data exchange.

“They can degrade or disable systems remotely. The issue isn’t about where they’re made, but who controls them,” he explained, stressing that Chinese companies remain under the legal jurisdiction of the Chinese Communist Party.

MacGibbon urged the Australian government to consider restricting Chinese-made electric vehicles from government properties and official fleets, warning that “our largest trading partner is also our largest cyber threat.”

Defence Department and Yutong Respond

A Defence Department spokesperson said Australia’s military bases use a layered security approach, integrating personnel, contractors, and law enforcement to mitigate risks from potential cyber threats.

Yutong, meanwhile, maintained that it complies with Australian privacy and data protection laws. The company said its vehicles in Australia cannot be remotely controlled in terms of acceleration, steering, or braking.

“Operational data is sent securely to the AWS data centre in Sydney, and no one can access or view customer data without authorisation,” Yutong stated.

‘All Imported Smart Devices Should Be Tested’

Cybersecurity expert Dr Dennis Desmond from the University of the Sunshine Coast, a former FBI special agent, warned that uncertainty around data collection and transmission remains a major concern.

He said any smart or connected device — including electric buses — used by government, defence, or contractors could present a national security risk.

Dr Desmond added that all imported smart systems should undergo thorough cybersecurity assessments before being approved for public or government use, especially given Australia’s reliance on foreign-made EV technology.

Public Transport Contracts Under Scrutiny

Yutong’s presence in Australia continues to expand. Transport Canberra signed a deal in 2023 for 90 Yutong E12 electric buses, with the first deliveries beginning in mid-2024. The company also operates workshops in Sydney, Melbourne, Brisbane, Perth, and Cairns.

While Yutong insists its data practices are secure, experts say the controversy highlights the urgent need for national cybersecurity standards across all electric and connected vehicles operating in Australia.