Post
The most thought provoking article I have read this week:
A Norwegian bus company wants to know if their buses could be abused by China in the case of war.
So they drive two buses deep into a limestone mine to isolate them from the internet and forensically investigate how they work.
In the mine, investigators discover a Chinese kill switch which could destroy all Chinese buses.
In Denmark, that is 57 percent of the bus fleet.
Source (Danish):
@randahl The most thought-provoking thing about this article is that it highlights the absolutely wild level of sinophobia in scandinavia.
My wife's Volvo has remote firmware update functionality, is that a Swedish killswitch? Every one of the tens of thousands of Teslas in Denmark has remote update functionality, is that an American killswitch? Modern BMWs have remote update functionality, are those German killswitches?
I personally hate the techbroization of modern cars, and I believe that every one of these features should be regulated out of existence, but
it's amazing how this kind of stuff is accepted and normal in every part of our lives until a company based in China does it, and suddenly it's "😱 THE CHINESE GOVERNMENT HAS KILLSWITCHES IN OUR BUSSES 😱"
🙄
@randahl And this is why I would never, ever own a Chinese vehicle and am migrating away from all electronics made in China.
@randahl I bet f-35 has a kill switch. When USA attacks Greenland and you turn the ignition key, only the dashboard warning light comes on.
@randahl Digital sovereignty and stories about people ditching the "smart-home" idea looks with new colors?
@randahl since most tech is made in China... I imagine most devices may also have this!
@randahl They should check the 43% of their busses that aren't from China, too
@randahl I just wrote a similar article about Israel banning Chinese cars from the military...
@randahl Can they do the same thing with the other bus types they have? I don't see why a Chinese government having the ability to disrupt bus traffic is different from any other foreign government having the ability to disrupt bus traffic.
@randahl do busses really need to be connected to the internet?
however attractive that seems, the possibility (actuality, in this case) of remote interference makes it too costly.
same for everything else, too. does my fridge need to be? my tv?
@randahl That is disturbing. It is not going to help sales
@randahl They didn’t find a kill switch. What they found was a built-in SIM card - something that's legally required in some countries and present in most modern vehicles - and the ability to perform OTA updates, which is also standard today. And yes, any modern connected vehicle can technically be disabled through a software update if the manufacturer chooses to do so.
@randahl wait until they learn who owns their IT systems
huawei suspected of kill switch in routers
dji drones suspected of kill switch
e-cars suspected of kill switch
vacuums suspected of mapping
WHEN DO NATIONS START DEMANDING OS SOVEREIGNTY?
(not expensive or complicated: it's called open source software and linux)
PS: the expensive and complicated part?
EDUCATING VOTERS TO VOTE FOR IT
Version of the story from The Guardian.
Danish authorities in rush to close security loophole in Chinese electric buses https://www.theguardian.com/world/2025/nov/05/danish-authorities-in-rush-to-close-security-loophole-in-chinese-electric-buses
@kcarr2015 It is so funny for us Danes to see the politicians panicking now.
For years, Danish security experts warned about this, but most politician arrogantly rejected this as paranoia.
There was a tv-show were a politician from Venstre arrogantly said: "It is okay to fear wars and such, but one cannot fear a computer".
@klegdixal insane! Thank you for that update.
@randahl yup. That SLAPP is indeed insane.
Dunno if this was brought up, this time a Chinese smart vacuum.
https://cybernews.com/security/engineer-finds-backdoor-implanted-in-robot-vacuum/
@randahl
To be fair: All Tesla's, and probably many other EV's on the market today have this same functionality.
It's not a "kill switch" directly, it's that the busses support OTA with full admin-rights directly from the manufacturer without user envolvement that could theoretically be used as a kill switch.
Now, if you read further on the "Lion Cage" project, that is scary shit.
@randahl I wonder how long it'll take to uncover something similar with trains built by CRRC.
@randahl Sorry, unless we suddenly start to take non-elective OTA updates without safeguards such as independently reviewed, reproducible source code builds as the theoretical but very possible general threat that they are, I fail to see how this is special. Even more so because @briankrebs boosted it.
Vendor-forced OTA updates are an accepted practice. Attack the practice, not the practitioner.
@danimo I think you are missing a crucial point: Over-the-air updates is a general practices, yes, but there is a vast difference between getting over-the-air updates from allies, and getting over-the-air updates from a country which supports Russia's invasion of Europe.
@briankrebs
@randahl To be fair, my ten year old north american GM car has the same kind of remote "kill switch" vulnerability. It's there as a feature of the OnStar theft protection package that came with the car even though I'm not paying for it.
If the U.S. regime wanted to take over Canada, it could (potentially) order car companies to disable nearly every car and truck we have.
#autos #theftprotection #ElbowsUp
@randahl well, translation does not sound that scary and specific:
> " The Chinese electric bus contains a computer that, among other things, controls the bus's battery and engine, so the bus can most efficiently drive around Oslo. And this computer is – via a small sim card – on the Internet, so it can send information and sometimes retrieve an update back. For yes, a bus can be updated in exactly the same way as your phone."
TL;DR: remote tracking and updates which can be used maliciously
@randahl others are correct saying that this seems to be common practice, but it's not good and we shouldn't just take it. We, no matter if a country or a person, should OWN what they buy, without the possibility of the seller to change that after the fact!
@randahl I read the article - they did not find an actual kill switch. They found that it could be updated remotely, to install a kill switch - not quite the same thing
Not the first time “rogue devices, including cellular radios, were discovered in Chinese-made power inverters“ https://m.economictimes.com/news/international/global-trends/what-is-chinese-kill-switch-found-in-equipment-at-us-solar-firms-trigger-national-security-fears-/amp_articleshow/121440168.cms @randahl
@randahl
In other good news: Now it's known how to disable buses in China.
@randahl "Destroy" here means "make unusable via an OTA software update". Not any better than "destroy", of course.
@randahl wow! clever investigation, thanks for this eye opener. I'm sure it is the same here in Aotearoa
it's almost as if trading with terrorist states was a bad idea in the first place.
@falcennial "Who would have thought buying products from evil super villains could be a problem?"
@randahl Lex Luthored ourselves
@falcennial "Those imperial TIE Fighters are so well priced. Let's strike a deal with Darth Vader!"
@randahl
Isn't this a well known practice? Isn't Tesla doing the same with OTA sw updates, performance monitoring et.c. of the vehicles they manufacture?
But, I guess, we are all conditioned to see #US #technofascism as more acceptable, for some reason.
@65dBnoise I do not consider that acceptable at all. That is why I would never buy a Tesla.
I think @65dBnoise has a point. I’m pretty sure the same sort of feature is built into nearly every “smart” lightbulb and “smart TV.” The issue is not the nationality of the software developer. It’s the whole notion of being dependent on some cloud service, generally.
If the authors think war is the only reason the company would use that kill switch (or even the most likely reason) try repairing a bus with unapproved parts or trying to make unauthorised modifications to the software running on the bus. Or maybe just try not paying the bill.
@randahl
A Norwegian bus company wants to know if their buses could be abused by China in the case of war.
in the mine, investigators discover a Chinese kill switch which could destroy all Chinese buses.
BOLLOX
Thank you for replicating the ridiculous accusations. A sim card and update box was found.
That system is used in thousands of buses, trains, cars, tesla for example can be switched off from usa as can john deer tractors.
@randahl If google or apple can update software in my phone while I sleep I *have been hacked* :p
@randahl
Kill switches are fantastic folks. The question is only about who controls the switch.
-- When the owner of the asset can control the kill, it is a boon for privacy, anti theft, and pro security.
-- When an adversary controls it, it is coercive, malicious, dangerous and predatory.
Thanks for sharing this.
As much as I like tec, in spite of my decades of using it (I started as a mainframe op in the 1970s), I think we've let the horse bolt through the barn doors.
@randahl Or if you "own" an F35 and the Orange Leader of Trumpistan decides it won't fly where you want it to go. Or fires it's missiles for you...
@randahl Sad story, Alstom Aptis was manufacturing good electrical buses in Alsace, France, but due to low demand, they cease activities in 2021.
European Union countries should give priority to EU products so that OUR companies don't close and to prevent sad surprises.
@randahl
European option:
"The extensive network of IVECO BUS and IVECO service points guarantees support wherever a vehicle is operating worldwide. The manufacturer employs more than 5,000 people and has five factories, located in Annonay and Rorthais in France, in Vysoké Myto in the Czech Republic, and in Brescia and Foggia, in Italy."
https://www.ivecobus.com/france/La-Marque
Tl;Dr
Chinese electric buses have independent outgoing Comms that are used for navigation and OTA updates.
These updates could be designed to disable the vehicle (or they could do it by accident).
As others have noted, pretty much all electronic devices (from doorbell cams and printers to trains and combat aircraft) from all manufacturers (western and Chinese) have this issue.
Good to check and worthwhile developing processes to firewall, monitor and control this access.
@Tallish_Tom @randahl or, as it the case in things like NPP, just do not connect things to the www when it is design, build, operate and maintain for a defined and local usage. Costly, polluting, risky for ar the end ~zero added value
@randahl Now I wonder which car built in the last five years is not connected to the internet and can receive commands from it.
@randahl Reminds me of Polish train manufacturer bricking their trains located close to independent repair shops.
So far, the only people suffering for this decision are the people that helped unbrick the trains in question.
This is not a China phenomenon but a greed one. Not to say that Chinese government doesn’t enjoy the results, just that I doubt they had to actively instruct anyone to include these kill switches.
Peraphs not..
We must ask ourself where this suspious comes from? I've get you a clue in the interview linked below.
@randahl
The existence of a kill switch is one thing, but what's more fundamental here in the case of a bus is why on earth it has to be connected to the public internet in the first place?
It just doesn't make sense.
@shadowdancer @randahl They need to access the operator's network, so dispatchers know where each vehicle is (and this information can also feed real-time tracking for travelers). Outside of cities you cannot use radio as it would be too expensive and unreliable, the most practical solution is to use the public GSM network.
The issue at play here is the reliance on proprietary third-party software, usually packages that combine both dispacher software and ticket handling. These include remote updates (you cannot have maintenance technicians or drivers run around with computers or even USB drives, it's not practical), so unless you have full control and full trust over that software your fleet now has remote kill switches.
One solution is to make all the required software in-house, but most public transports operators are too small to handle such development and the associated costs. LeTEC in Belgium has been doing this for the past 15 years, for a fleet of 3000 vehicles. It's a lot of work.
What we need is a pan-european cooperative to build these systems for all operators.
@shadowdancer I believe it had a SIM card embedded within it. Which could make sense for other onboard communication to the operator.
@randahl with reference to some comments below, the USA is far worse on this topic. They call it intelectual property rights. Which makes you hand over all the sensor data of the John Deer plough, seeder or harvester to the USA mothership. Which is then sold to hedge funds to hedge against the price of the harvest you as a farmer have invested in and worked hard for. So your farm data is used by biljonairs to increase their wealth at the expense of the farmers https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8i
@randahl
Here's another article about this in German:
@randahl What! 🤨 How would the switch destroy the bus? What's the trick?
@thierry_van_kerm for instance, systems that download software updates, could potentially download a software update which deliberately contains errors.
@randahl @thierry_van_kerm which is also a risk even if the supplier is honest. It's how the Russians destroyed a whole load of satellite kit just before Ukraine kicked off. Compromise the vendor downloads and ship firmware that physically burns the flash memory. At that point it's probably a PCB swap to restore for most users. A PCB that won't be stocked in bulk, probably uses components no longer manufactured and cannot trivially be mass manufactured again.
@randahl Is this really surprising?
And, btw, don't you think the US (or Russia) don't do the same?
Time for Europeans to grow up, to stand up and get their balls unleashed from whoever hold them tight! 🙂
@randahl Not just China doing this. I remember https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/
It is generally not a good idea to give others control over apparatuses that you own.
@randahl there is a little thing called a specification when you buy something. You need to be absolutely sure you have full control over your technology you own.
Some people might find open hardware and open source guys annoying but this what they talk about.
@randahl To be honest: I'd love a broad scale analysis of this. Few days ago it as a vacuum cleaner, now buses...
Test this in all things. From mobile phones to cars (don't care if Chinese, US or German), smart beds (well... actually leave these ones out. Who buys a bed that needs internet?!), switches, routers, water pumps, ....
I bet they'll find stuff in too many places.
@jesterchen I would like all hospital equipment to be tested.
@randahl US made John Deere tractors also have a kill switch and it has been used to disable some of them (in this case tractors stolen by Russian troops) remotely:
(EDIT: this was also mentioned briefly in the Danish article linked above)
@randahl "Wer Billig kauft, kauft zweimal" ... means "Who buys cheap, buys twice"
A space for Bonfire maintainers and contributors to communicate
