Security Concerns Over Chinese-Made Electric Buses in Australia

Yutong buses are widely used across Australia, with 90 vehicles in the ACT following a 2023 order, 26 in NSW, four in Brisbane, and trials underway in South Australia. Security experts in advanced economies have raised alarms about the growing prevalence of Chinese-made cars, batteries, and solar panels, warning they could increase the West's vulnerability during a potential conflict with Beijing.

Alastair MacGibbon, chief strategy officer at CyberCX and former cybersecurity adviser to Prime Minister Malcolm Turnbull, stated that electric buses, like other Chinese-made products, require constant connectivity with their manufacturer. He highlighted integrity concerns, noting the manufacturer could disable features such as self-driving and battery management at any time. "Other countries have stopped their governments from purchasing them and not allowing private use of these things. The Australian government has not," he said.

A spokeswoman for Vehicle Dealers International (VDI), the official distributor of Yutong buses in Australia, clarified that the model tested in Norway is not sold or operating in Australia. In Australia, VDI performs updates in person rather than remotely. "VDI does not enable or use [over-the-air capabilities] on Australian-delivered buses," she said, adding that software updates are done at authorized service centres or customer depots with operator consent. Remote connectivity is used only for health reporting, alerts, and customer-initiated comfort scheduling, with no remote control of acceleration, steering, or braking.

However, MacGibbon countered that regardless of the bus model, internet-connected vehicles have cameras, microphones, and other tools that could be accessed by the manufacturer. "Confidentiality in a Chinese-made vehicle does not exist," he asserted, suggesting Beijing could direct the manufacturer to take action.

Transport for NSW acknowledged awareness of international reports regarding potential vulnerabilities in some bus technologies and has incorporated them into active risk assessments. "At this stage, Transport has not identified any evidence that buses in the NSW fleet can be remotely disabled," a spokesman said. Similarly, Transport Canberra confirmed that over-the-air updates are disabled on their Yutong fleet, with software updates performed in a controlled environment.

Yutong stated compliance with local laws and regulations, noting that vehicle terminal data in Australia is stored at the AWS data centre in Sydney, protected through encryption and access controls. "No one is allowed to unlawfully access or view the data without customer authorisation," the statement said.

Australians are increasingly switching to EVs and other internet-connected cars, with features like remote control apps and infotainment screens. By 2021, there were 1.2 million internet-connected vehicles on the road, and by 2031, they are forecast to make up 93% of new cars sold, raising broader cybersecurity questions for the future of transportation.