Yutong electric public buses in S’pore can’t be controlled remotely by Chinese manufacturer: LTA

SINGAPORE – The 20 electric public buses made by Yutong on Singapore’s roads cannot be remotely controlled by the Chinese manufacturer, the Land Transport Authority (LTA) said on Nov 17.

The buses also do not support over-the-air software updates, LTA added in response to The Straits Times’ questions about the cyber security of such buses, following a report by Norwegian public transport operator Ruter.

Ruter said in late October that tests on the electric buses suggested that Yutong could remotely turn them off.

“This could be exploited to affect the bus,” its report said. The operator now plans to introduce stricter security requirements and step up anti-hacking measures.

The 20 Yutong buses in Singapore have been operating smoothly on public bus services in Singapore since 2020, LTA said.

Yutong buses here are used by public bus operators Tower Transit Singapore, Go-Ahead Singapore and SMRT, according to Land Transport Guru, an independent website focusing on Singapore’s public transport system.

Acknowledging Ruter’s report, LTA said: “We note Yutong’s public clarification that its buses cannot be remotely controlled or deactivated.”

It noted that Yutong said the data collected is used solely for vehicle maintenance and to improve performance.

“Where there are electric buses with over-the-air updates elsewhere, they are carried out only with the operator’s explicit approval and do not affect vehicle control systems,” LTA said.

The authority said the electric buses it procures must comply with international regulations that require manufacturers to roll out secure design, risk management and software update management processes throughout the vehicle’s lifespan.

LTA also requires that its contractors take strict data protection measures.

LTA said it will work closely with all bus suppliers and follow up with the necessary checks to ensure that risks associated with external connectivity are properly mitigated. It has met Yutong and other electric bus-makers, BYD and Zhongtong.

Yutong’s website states that the company has sold nearly 110,000 buses to more than 100 countries across Europe, Africa, Latin America and the Asia-Pacific region.

Ruter said it will introduce stricter security requirements and step up anti-hacking measures following its tests in August, which suggested that Yutong had access to the buses’ control systems for software updates and diagnostics.

The tests – in which the buses were driven in underground mines to strip away external signals – were conducted on brand-new Yutong buses and on three-year-old vehicles from Dutch bus manufacturer VDL.

Ruter said the tests showed that the Dutch buses did not have the ability to conduct over-the-air software updates, while the Chinese-made buses did.

The Guardian reported that the UK will also investigate whether hundreds of Chinese-made buses can be controlled remotely by their manufacturers, and whether buses made by Yutong could be vulnerable to interference. This comes amid increasing concerns over Beijing’s involvement in British infrastructure, the report said.

Denmark also opened an investigation after the Norwegian findings.