Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems – which could be exploited to affect buses while in transit.
Their investigations found that remote deactivation could be prevented by removing the buses’ sim cards, but they decided against this because it would also disconnect the bus from other systems.
the Chinese supplier had remote access for software updates and diagnostics to the vehicles’ control systems
this feels like what every tech company is doing nowadays?
Yeah, but when it’s chinese companies doing it, it becames a problem. China bad, after all
We used to have vehicles that didn’t need over the air updates for over a century. If they had a problem then a technician could simply perform an onsite diagnostic. Why the hell are we keeping them in a network like they’re computers or no longer supported IoT dongles?
Location tracking, diagnostics, statistics, security. Etc. it’s not a bad idea… for a bus. Less desirable IMO for a personal car.
This issue is that the manufacturer, or any third party, just has full access. Specifically China, who has a long history of being shady in tech.
Anything government related should really be on a closed system, even if it’s “wireless”
All of this stuff could be open source and hardware verifiable with arduinos but no, let’s outsource it to china
Exactly.
Location tracking, diagnostics, statistics, security. Etc. it’s not a bad idea… for a bus.
There’s no good reason for any of that to be updated while the bus is on the road. It should be done at a service location.
Also no good reason for it top be connected to the canbus or have any control or even monitoring of vehicle systems.
A GPS tracker needs access to power, that’s it.
Yes an over the air update without being in maintenance mode should not happen in any vehicle. In fact, I think there should be a hardware switch to prevent this.
The simplest solution is to just restrict software updates to direct physical access, and put the USB port or whatever behind a locked service panel.
If the software can’t be infiltrated remotely, then there won’t be any security issues that are so urgent they need to be patched in the middle of a shift, they can wait for a maintenance stop.
The good reason is that this way, they can click a button and push the update to hundreds of buses at once, instead of having to have them all come in one by one. That’s a huge number of man-hours.
Some of these people never had to manage a fleet of computers.
A vehicle shouldn’t be part of a ‘fleet of computers’ period.
I have experience managing multiple network systems with user-facing endpoints. That’s irrelevant.
Nothing critical on a passenger-carrying vehicle should be remotely managed and it definitely should be frozen while the bus is in active service. The last thing a crowded bus in motion needs is the lights randomly going out because someone decided it was time for a patch install.
The right choice from a security and safety perspective is for any wireless interfaces on the vehicle to be read-only - they can send data out (like current location). Pushing software changes should require direct physical access, and should only work if the vehicle is parked. Anything else is a stupid unnecessary risk.
Won’t somebody think of the savings?
Key Points
Jeep Wrangler 4xe models crippled by faulty UConnect over-the-air software update.
Issues caused vehicles to lose power leaving owners stranded.
Incident exposes risks and inadequate testing in modern software-defined vehicles.
https://www.autoblog.com/news/jeeps-latest-software-update-can-disable-your-suv
