As modern buses become increasingly connected, new cybersecurity and operational risks have emerged—especially when manufacturers are able to deliver remote software updates directly to vehicles. Recent findings from Europe have highlighted how Over-The-Air (OTA) update systems, while convenient for maintenance, can also create pathways for unintended access to critical onboard systems.
Norwegian public transport operator Ruter raised concerns in late October 2025, and their findings attracted coverage from media organisations around the world. It was brought to local attention through a Channel NewsAsia article published on 6 November 2025.
Norway: OTA Capability as a Cyber Risk
In mid-2025, Ruter conducted cybersecurity tests on two electric buses inside an underground mine to eliminate external signals. One was a brand-new Yutong bus from China, and the other, a three-year-old VDL bus from the Netherlands.
The Yutong bus, equipped with the capability for autonomous software updates (also known as Over-The-Air updates), allowed the manufacturer to push software updates and run diagnostics remotely. Furthermore, access to the bus’ battery and power supply control system was enabled via a mobile network link through a Romanian SIM card, which meant that—in theory—the bus could be stopped or rendered inoperable remotely through that networked connection.
On the other hand, the VDL bus lacked over-the-air update capabilities and thus presented fewer remote-access risks.
With these findings, Ruter reported the issues to local and national authorities. Although removing the SIM card would eliminate remote-access risks, it would also disconnect other systems. Ruter also said it was taking measures against these vulnerabilities, and it planned to bring in stricter cybersecurity requirements for future procurements.
Denmark: Similar concerns over OTA buses
Danish authorities have also taken the matter seriously. Movia, Denmark’s largest public transport agency, runs 469 Chinese-made electric buses, including 262 manufactured by Yutong. The Danish Emergency Management Agency (Samsik) considers the potential for remote interference credible, even though Movia has not reported any known instances of buses being deactivated remotely.
Yutong’s Response
In comments to The Guardian, a Yutong spokesperson stated that the company complies fully with local laws and industry standards wherever its vehicles operate. It clarified that vehicle data from the EU is stored in an AWS data centre in Frankfurt and is used “solely for vehicle-related maintenance, optimisation and improvement to meet customers’ after-sales service needs”.
According to Yutong, all data is protected through encryption and access controls, and no one may access it without customer authorisation.
Singapore Implications
Singapore’s land transport sector is classified as an essential service. Under the Transport Sector (Critical Firms) Act 2024, Public Transport Operators SBS Transit and SMRT Buses are “Designated Entities” that must maintain service continuity under all circumstances, including national crises. This places a high emphasis on operational resilience and cybersecurity across the entire bus fleet.
As buses become increasingly connected, the introduction of Over-The-Air (OTA) software update capabilities introduces a new class of vulnerabilities. While beneficial for software updates, diagnostics and maintenance, these remote access channels could theoretically disrupt bus operations if compromised. Such disruptions would have outsized consequences for a public transport-reliant Singapore.
While there have been no known cases of buses being maliciously disabled through OTA systems, the possibility alone is sufficient to warrant heightened precautions.
As of 6 November 2025, modern electric buses form only a small portion of Singapore’s fleet. The Land Transport Authority (LTA) has yet to issue public statements on the risks posed by OTA updates to local public buses.
External Links & References
- Norway tests show Chinese-made electric buses can be halted remotely by manufacturer – CNA [Accessed 6 Nov 2025]
- Ruter | We have conducted a comprehensive safety test of electric buses [Accessed 6 Nov 2025]
- Danish authorities in rush to close security loophole in Chinese electric buses | Denmark | The Guardian [Accessed 6 Nov 2025]
- MOT | Transport Sector (Critical Firms) Act [Accessed 6 Nov 2025]
- SIA, SBS Transit, PSA among 19 key transport entities to face greater controls under new law | The Straits Times [Accessed 6 Nov 2025]