I work in rail safety. Two major non-Chinese train companies attempted to merge a few years ago, explicitly to build a company that could compete with China's national company, and provide safer alternatives to state-sponsored cyberhacking of Western rail.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
About a year ago a Polish rail equipment supplier brought a lawsuit over a locomotive because it was serviced by a third-party, and the service was enabled by jailbreaking software in the locomotive.
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
I'm not sure this comment does justice to the situation.
Poland put out a separate bid for manufacturing and servicing of their locomotives and one company won the manufacturing bid while another won the servicing bid.
The servicing company was unable to get the trains into working order and after hiring hackers accused the manufactoring company of bricking the software on purpose by including geo-fences where the trains would no longer work after arriving at the servicing company's property.
Perhaps the interesting part to me was Dragon Sector's (the hackers) claims that the software needs to be blessed so although they discovered problems they never changed anything because they don't have the authority to bless it and heavily imply that the fact that the manufactoring company is changing the software at will is illegal.
The changes by the manufactoring company had an (undisclosed) activation sequence added to it so you didn't need to modify the software in order to get the train working so the servicing company never actually modified the software.
The west is too lax on some of these officials. People like this should be thoroughly investigated. China is flagrantly breaking the rules of the WTO that the west has set up, having state backed companies, and these people are either purposefully or unintentionally undermining the west's efforts to fight back.
The European champion would still be ten times smaller than the Chinese but would have factual monopoly in Europe. I don’t think blocking the merger was entirely unreasonable.
The parent comment is describing a scenario where the Chinese company may get a factual monopoly in Europe because it can outcompete the two European companies due to economies of scale.
I'm with you on this. I feel like too much boogye-man-ing and FUD scaremongering is taking place on the cover of "China evil and has giants" in order to justify breaking anti-monopoly laws and allowing our own monopolies to form under this justification, that will only benefit shareholders of those companies but eventually harm European consumers via lack of innovation due to lack of competition, price gouging and the European workers via the inevitable layoffs that follow such mergers.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make the resulting giant less so, but the contrary, it'll be even more inefficient and uncompetitive, and then expect government bailouts because now they're too big to fail.
The problem with "oh, but wait, this merger actually improves competition" is that mergers are a contagion. A large competitor's mere existence creates an economic imperative for more mergers. This happens both horizontally (across multiple firms) and vertically (up and down the supply chain). When you get big, you can start stripping your vendors' and customers' of their profit margin, which means they need to get big to compensate. Even if a merger might have positive competitive effects, it still spreads the contagion. Which is a problem, because anyone who doesn't or can't get big will get fucked. That includes individual consumers and workers.
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
So put 70% anti dumping duties (tariffs) on CRCC trains like they did with ebikes?
This will hopefully get fixed with software audits necessary for compliance under the NIS2 directive. Thank you China for making the EU fix the problem with more regulation, ensuring that only the big boys can comply.
> Two major non-Chinese train companies attempted to merge
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
Honestly I couldn't care less considering how scummy our train making companies are, I'm fine with Chinese selling trains on a loss for pieces of paper. It's their problem if they want to build them and ship them for pennies, their loss.
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
Whats sad is Norway sits right next to the country which manufactures Scania and Volvo Busses, but instead buys busses from thousands of km away. I suppose cost is all that maters these days, even for national infrastructure which must remain in control and secure.
I know for a fact that at least one of those companies also installs SIM cards in all their busses.
The only difference is who could potentially use the backdoor, and yes Sweden seems slightly less poised to attack Norway than China. At least these days. Because, let's face it, the Swedes owned Norway back in the day and them wanting their oil-rich lucky cousin back at home is deranged but not as much as the Chinese wanting the fjords....
So... did the Chinese company put Romanian SIMs in the busses? Or was it an importer that installed those? Are there fleet management features enabled by that connectivity or are they actually secret?
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
To me this smells of rather basic economic/political propaganda to scare people. The collective west is clearly getting orders from high above to apply pressure on China and it may just be that this is part of it, spreading an air of concern and fear to dissuade other people who pay attention to this kind of thing in municipalities to avoid Chinese manufacturers. It's rather basic social engineering that has the ham fist of "intelligence" all over it.
That's averages, but Norway has hot summer days too. Factor in thinner atmosphere (more UV), lower sun angles, over 20h days and you get more warmth with less average temperature.
And those buses stink like inside of a plastic factory. Never been to a plastic factory, but rode these buses. And the smell is strong even a year into use. Makes you wonder if China has same rules for carcinogenic plastic in consumer goods.
Ruter operates in and around Oslo where temperatures higher than average. Anyway some of old (diesel?) buses had broken heating and were heating even if it was warm outside. These are still improvement.
All I can say is that shivers go down my spine what could happen if one of those OEM's that have remote updates possible would get their keys compromised. You could brick hundreds of thousands of vehicles. I would be scared shitless to store those things.
Here, an article (from June 2025) about Chinese buses full of cameras and other sensors driven regularly inside secret Norwegian army bases. Those buses are to be used during a war or a crisis.
>The transport operator stressed there is no evidence of misuse but said the discovery moves concerns “from suspicion to concrete knowledge”. (...) The case comes as Chinese electric buses are increasingly adopted across global markets,
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
I do worry if they are adding this to buses what are they doing to MacBooks and your phone? Do people here think these devices are compromised or should we take Apple’s word for it!?
The biggest concern I have is with cheap PC accessories, wireless routers and smarthome equipment. Also solar power inverters with their online tracking apps. In case of war, all of these would be remotely weaponized, IMHO.
> They’re probably one of the most hated companies in the world
By tecchies.
That’s like adding “In Mice,” to headlines of biological breakthroughs.
It’s quite clear that a fairly significant majority of customers don’t hate Apple. They aren’t “brand slaves,” like Harley riders (anymore), but people clearly vote with their wallets.
Microsoft always had the “My work requires it” thing going, but only a couple of industries are majority Apple.
Like it or not, people pay personal money for Apple kit, and they are a demographic that marketers drool over.
Although TSMC might be able to compromise it, Apple's hardware security is good enough that it is very unlikely that any supplier in China can compromise it. All data outside the SOC is encrypted.
It's all the other stuff made in China that is the worry, not the stuff designed by Apple, or Google.
Ah, and they never review iPhones/Android phones after Israeli companies demonstrated they can backdoor any cellphone on this planet, and especially after they demonstrated they can explode consumer devices and maim 3000+ people overnight.
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
1929 – Sino-Soviet Conflict (Chinese Eastern Railway) — ROC authorities moved to seize the CER in Manchuria; the USSR responded militarily. (Initiation: ROC seizure.)
1954–1955 – First Taiwan Strait Crisis — PRC began large-scale shelling of Kinmen/Matsu and amphibious operations (e.g., Yijiangshan). (Initiation: PRC artillery/offensives.)
1958 – Second Taiwan Strait Crisis — PRC opened intense bombardment of Kinmen/Matsu. (Initiation: PRC artillery.)
1962 – Sino-Indian War — PRC launched major offensives in October after a series of frontier incidents. (Initiation: PRC large-scale attack; India calls it unprovoked, PRC says “counter-attack.”)
1967 – Nathu La & Cho La clashes (India border) — Firefights erupted while India was fencing the pass; Chinese forces are generally assessed to have fired first at Nathu La. (Initiation: PRC fire in initial clash.)
1969 – Sino-Soviet Border Conflict — PLA ambushed Soviet troops on Zhenbao/Damansky Island in March; further clashes followed. (Initiation: PRC ambush.)
1974 – Battle of the Paracel Islands (vs South Vietnam) — PLAN/PLA forces expelled RVN units and took full control of the Paracels. (Initiation: PRC naval attack in contested area.)
1979 – Sino-Vietnamese War — PRC invaded northern Vietnam in February. (Initiation: PRC cross-border invasion.)
1984–1989 – Sino-Vietnamese Border War (post-1979 phase) — PRC mounted periodic offensives and artillery duels (e.g., Laoshan/Johnson Mountain). (Initiation: multiple PRC attacks in a protracted conflict.)
1988 – Johnson South Reef Skirmish (Spratlys, vs Vietnam) — PLAN engaged Vietnamese forces and seized the reef. (Initiation: PRC assault during standoff.)
Internal (civil/unification campaigns)
1926–1928 – Northern Expedition — ROC (KMT) launched a national unification war against warlords. (Initiation: ROC campaign.)
1930–1934 – Encirclement Campaigns against the Chinese Soviet — ROC initiated successive large operations against CCP base areas. (Initiation: ROC offensives.)
1949–1950 – Hainan & Zhoushan/Coastal-Islands Campaigns — PRC amphibious operations against ROC-held islands during the civil war endgame. (Initiation: PRC landings.)
1950–1951 – Tibet (Chamdo campaign → occupation) — PLA entered eastern Tibet and compelled the Seventeen-Point Agreement. (Initiation: PRC invasion; PRC frames as “peaceful liberation.”)
> If these were esims they would be much harder to detect or remove?
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
A local group of security people have been running a weekend project they call Project Lion Cage where they take Chinese cars into a local mine with spectrum analyzers etc. to watch where they send data and so on. This is how the bus was evaluated as well. Tor Indstøy has quite a few posts on his LinkedIn page talking about the work and what they have found.
If your transport is accessible remotely, it can be hacked remotely.
This reminds me of that story about Polish Trains. In that case GPS was used to execute a kill code.
https://social.hackerspace.pl/@q3k/111528162462505087
lets see, a modern bus has, woooooo, conectivity, woooooo, on basicly everything, woooooo, so some manager can obsess over oil filters or the voltage on the lighting circuit, and the sixteen antenas advertised in the broshure were,in fact installed
realy, wtf?, it's not like anybody is unaware that something like 10 billion things are conected to the net, and dozens, ? hundreds, of actors are doing there best to slurp up every last scrap of data, ha!, that they can
the worst part is that it would be no surprise to find out that the bus comes with
a monitering contract that is in effect.
next it will be cranes all sensored up to detect cable stretch or who know what
and didn't china just go ahead and hack the pentagon, but wooooo, Norwiegen bus hacking
wooooo
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
>If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
The tests done on the buses showed that they can be stopped as well as otherwise controlled remotely from China. This is way more than diagnostics, and remote control is _not_ something which is common in road vehicles.
I wasn't aware of that, thanks. But still, if you go buy a car right now, I doubt they are going to make it a sales pitch that you are not the only one who can control your car.
I work in rail safety. Two major non-Chinese train companies attempted to merge a few years ago, explicitly to build a company that could compete with China's national company, and provide safer alternatives to state-sponsored cyberhacking of Western rail.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
About a year ago a Polish rail equipment supplier brought a lawsuit over a locomotive because it was serviced by a third-party, and the service was enabled by jailbreaking software in the locomotive.
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
I'm not sure this comment does justice to the situation.
Poland put out a separate bid for manufacturing and servicing of their locomotives and one company won the manufacturing bid while another won the servicing bid.
The servicing company was unable to get the trains into working order and after hiring hackers accused the manufactoring company of bricking the software on purpose by including geo-fences where the trains would no longer work after arriving at the servicing company's property.
Perhaps the interesting part to me was Dragon Sector's (the hackers) claims that the software needs to be blessed so although they discovered problems they never changed anything because they don't have the authority to bless it and heavily imply that the fact that the manufactoring company is changing the software at will is illegal.
The changes by the manufactoring company had an (undisclosed) activation sequence added to it so you didn't need to modify the software in order to get the train working so the servicing company never actually modified the software.
https://www.youtube.com/watch?v=XrlrbfGZo2k
https://www.ifixit.com/News/112008/polish-train-maker-is-sui...
The west is too lax on some of these officials. People like this should be thoroughly investigated. China is flagrantly breaking the rules of the WTO that the west has set up, having state backed companies, and these people are either purposefully or unintentionally undermining the west's efforts to fight back.
The European champion would still be ten times smaller than the Chinese but would have factual monopoly in Europe. I don’t think blocking the merger was entirely unreasonable.
The parent comment is describing a scenario where the Chinese company may get a factual monopoly in Europe because it can outcompete the two European companies due to economies of scale.
Euro/North American, but still smaller than China's company.
Your second sentence is quite a jump, however: "It won't be as big, so there's no point in trying to compete at all."
Also it would probably be 5x as corrupt.
The things you see in EU public tenders is just amazing, especially when they's little to no competition.
4 replies →
I'm with you on this. I feel like too much boogye-man-ing and FUD scaremongering is taking place on the cover of "China evil and has giants" in order to justify breaking anti-monopoly laws and allowing our own monopolies to form under this justification, that will only benefit shareholders of those companies but eventually harm European consumers via lack of innovation due to lack of competition, price gouging and the European workers via the inevitable layoffs that follow such mergers.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make the resulting giant less so, but the contrary, it'll be even more inefficient and uncompetitive, and then expect government bailouts because now they're too big to fail.
Logistics in war is essential so it’s not a stretch. You can easily extend that line of thought to anything from drones to cars.
Yes easily, like how they use all the public transit buses at the frontlines of ukraine
Did anyone investigate this person to see if she’s being bought by any “Foreign” Gov’t?
Don't attribute to malice what can adequately be explained by ignorance.
5 replies →
The problem with "oh, but wait, this merger actually improves competition" is that mergers are a contagion. A large competitor's mere existence creates an economic imperative for more mergers. This happens both horizontally (across multiple firms) and vertically (up and down the supply chain). When you get big, you can start stripping your vendors' and customers' of their profit margin, which means they need to get big to compensate. Even if a merger might have positive competitive effects, it still spreads the contagion. Which is a problem, because anyone who doesn't or can't get big will get fucked. That includes individual consumers and workers.
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
So put 70% anti dumping duties (tariffs) on CRCC trains like they did with ebikes?
This will hopefully get fixed with software audits necessary for compliance under the NIS2 directive. Thank you China for making the EU fix the problem with more regulation, ensuring that only the big boys can comply.
> Two major non-Chinese train companies attempted to merge
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
[1]https://www.railwaygazette.com/infrastructure/china-railway-...
[2]https://www.politico.eu/newsletter/brussels-playbook/vestage...
Thank you for the details.
> ...acknowledging mistakes made in the past "
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
1 reply →
Honestly I couldn't care less considering how scummy our train making companies are, I'm fine with Chinese selling trains on a loss for pieces of paper. It's their problem if they want to build them and ship them for pennies, their loss.
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
Whats sad is Norway sits right next to the country which manufactures Scania and Volvo Busses, but instead buys busses from thousands of km away. I suppose cost is all that maters these days, even for national infrastructure which must remain in control and secure.
I know for a fact that at least one of those companies also installs SIM cards in all their busses.
The only difference is who could potentially use the backdoor, and yes Sweden seems slightly less poised to attack Norway than China. At least these days. Because, let's face it, the Swedes owned Norway back in the day and them wanting their oil-rich lucky cousin back at home is deranged but not as much as the Chinese wanting the fjords....
So... did the Chinese company put Romanian SIMs in the busses? Or was it an importer that installed those? Are there fleet management features enabled by that connectivity or are they actually secret?
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
The fleet management features that lead to the review are documented and were easily disabled.
Good questions!
To me this smells of rather basic economic/political propaganda to scare people. The collective west is clearly getting orders from high above to apply pressure on China and it may just be that this is part of it, spreading an air of concern and fear to dissuade other people who pay attention to this kind of thing in municipalities to avoid Chinese manufacturers. It's rather basic social engineering that has the ham fist of "intelligence" all over it.
Surprisingly Norway choose this brand, never had a good ride in one, feels like sitting in a water boiler.
Maybe not so surprising as Norway summer temp averages get into mid 60s F (18C) at the warmest.
That's averages, but Norway has hot summer days too. Factor in thinner atmosphere (more UV), lower sun angles, over 20h days and you get more warmth with less average temperature.
And those buses stink like inside of a plastic factory. Never been to a plastic factory, but rode these buses. And the smell is strong even a year into use. Makes you wonder if China has same rules for carcinogenic plastic in consumer goods.
1 reply →
Ruter operates in and around Oslo where temperatures higher than average. Anyway some of old (diesel?) buses had broken heating and were heating even if it was warm outside. These are still improvement.
All I can say is that shivers go down my spine what could happen if one of those OEM's that have remote updates possible would get their keys compromised. You could brick hundreds of thousands of vehicles. I would be scared shitless to store those things.
Forget bricking them. How about driving their batteries to overheat? An entire fleet across a city enflamed...
https://en.wikipedia.org/wiki/Speed_(1994_film)
Not sure that would be possible on demand, but... Yeah, there are tons of options there. Absolutely terrifying.
For context, for a short while I wrote SW for auto BCM's albeit the security stuff not the drive your batteries stuff.
1 reply →
Whatever happened with the Polish trains that had all the backdoors that were discovered?
It doesn't matter, the point was to get the scare story out.
Ah, but you see, domestic enshittification and anti-consumer actions are different from the foreign influence boogeyman. \s
https://www.aftenposten.no/norge/i/Vz7LA6/forsvarets-kinesis...
Here, an article (from June 2025) about Chinese buses full of cameras and other sensors driven regularly inside secret Norwegian army bases. Those buses are to be used during a war or a crisis.
>The transport operator stressed there is no evidence of misuse but said the discovery moves concerns “from suspicion to concrete knowledge”. (...) The case comes as Chinese electric buses are increasingly adopted across global markets,
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
https://uavcoach.com/dji-ban/#7
Edward Snowden
Related out of Denmark:
Danish authorities in rush to close security loophole in Chinese electric buses
https://www.theguardian.com/world/2025/nov/05/danish-authori...
I do worry if they are adding this to buses what are they doing to MacBooks and your phone? Do people here think these devices are compromised or should we take Apple’s word for it!?
The biggest concern I have is with cheap PC accessories, wireless routers and smarthome equipment. Also solar power inverters with their online tracking apps. In case of war, all of these would be remotely weaponized, IMHO.
Very much on topic:
- https://www.theregister.com/2021/02/12/supermicro_bloomberg_... - https://www.wired.com/story/gigabyte-motherboard-firmware-ba...
Soooo, yeah.
Do you seriously think Apple wouldn’t notice? They’re probably one of the most hated companies in the world, millions are itching to see them fail.
> They’re probably one of the most hated companies in the world
By tecchies.
That’s like adding “In Mice,” to headlines of biological breakthroughs.
It’s quite clear that a fairly significant majority of customers don’t hate Apple. They aren’t “brand slaves,” like Harley riders (anymore), but people clearly vote with their wallets.
Microsoft always had the “My work requires it” thing going, but only a couple of industries are majority Apple.
Like it or not, people pay personal money for Apple kit, and they are a demographic that marketers drool over.
So where will they get Mac’s or iPhones made if they found out there was some shenanigans going on?
1 reply →
And that other place, with the Cloud act.
Although TSMC might be able to compromise it, Apple's hardware security is good enough that it is very unlikely that any supplier in China can compromise it. All data outside the SOC is encrypted.
It's all the other stuff made in China that is the worry, not the stuff designed by Apple, or Google.
Of course they're compromised, by Apple, to comply with UK law.
Well only in the UK, if you have the -banned in the UK- ADP on as far as people know it’s not compromised
Ah, and they never review iPhones/Android phones after Israeli companies demonstrated they can backdoor any cellphone on this planet, and especially after they demonstrated they can explode consumer devices and maim 3000+ people overnight.
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
Glad you asked
1929 – Sino-Soviet Conflict (Chinese Eastern Railway) — ROC authorities moved to seize the CER in Manchuria; the USSR responded militarily. (Initiation: ROC seizure.) 1954–1955 – First Taiwan Strait Crisis — PRC began large-scale shelling of Kinmen/Matsu and amphibious operations (e.g., Yijiangshan). (Initiation: PRC artillery/offensives.) 1958 – Second Taiwan Strait Crisis — PRC opened intense bombardment of Kinmen/Matsu. (Initiation: PRC artillery.) 1962 – Sino-Indian War — PRC launched major offensives in October after a series of frontier incidents. (Initiation: PRC large-scale attack; India calls it unprovoked, PRC says “counter-attack.”) 1967 – Nathu La & Cho La clashes (India border) — Firefights erupted while India was fencing the pass; Chinese forces are generally assessed to have fired first at Nathu La. (Initiation: PRC fire in initial clash.) 1969 – Sino-Soviet Border Conflict — PLA ambushed Soviet troops on Zhenbao/Damansky Island in March; further clashes followed. (Initiation: PRC ambush.) 1974 – Battle of the Paracel Islands (vs South Vietnam) — PLAN/PLA forces expelled RVN units and took full control of the Paracels. (Initiation: PRC naval attack in contested area.) 1979 – Sino-Vietnamese War — PRC invaded northern Vietnam in February. (Initiation: PRC cross-border invasion.) 1984–1989 – Sino-Vietnamese Border War (post-1979 phase) — PRC mounted periodic offensives and artillery duels (e.g., Laoshan/Johnson Mountain). (Initiation: multiple PRC attacks in a protracted conflict.) 1988 – Johnson South Reef Skirmish (Spratlys, vs Vietnam) — PLAN engaged Vietnamese forces and seized the reef. (Initiation: PRC assault during standoff.)
Internal (civil/unification campaigns) 1926–1928 – Northern Expedition — ROC (KMT) launched a national unification war against warlords. (Initiation: ROC campaign.) 1930–1934 – Encirclement Campaigns against the Chinese Soviet — ROC initiated successive large operations against CCP base areas. (Initiation: ROC offensives.) 1949–1950 – Hainan & Zhoushan/Coastal-Islands Campaigns — PRC amphibious operations against ROC-held islands during the civil war endgame. (Initiation: PRC landings.) 1950–1951 – Tibet (Chamdo campaign → occupation) — PLA entered eastern Tibet and compelled the Seventeen-Point Agreement. (Initiation: PRC invasion; PRC frames as “peaceful liberation.”)
[dead]
If these were esims they would be much harder to detect or remove?
BYD electric busses have recently rolled out where I live in Sweden.
> If these were esims they would be much harder to detect or remove?
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
A local group of security people have been running a weekend project they call Project Lion Cage where they take Chinese cars into a local mine with spectrum analyzers etc. to watch where they send data and so on. This is how the bus was evaluated as well. Tor Indstøy has quite a few posts on his LinkedIn page talking about the work and what they have found.
Press release (Norwegian): https://www.mynewsdesk.com/no/ruter/pressreleases/ruter-tar-...
"But it could also have been that they put the entire bus in a giant Faraday cage"
And that's what they did. If that was necessary for the conclusions is not said in the article. Only that the remote access could
The conclusion by the team was that the buses can be remotely stopped or bricked by the manufacturer.
1 reply →
If your transport is accessible remotely, it can be hacked remotely. This reminds me of that story about Polish Trains. In that case GPS was used to execute a kill code. https://social.hackerspace.pl/@q3k/111528162462505087
When the next petya-class worm hits, IOT is going to be so very painful.
Personally, I'd like to skip over all of the buildup and go straight to hoverboard mafia pizza delivery.
Go full Snowcrash - I can think of several current world leaders who need "Poor Impulse Control" tattooing on their foreheads.
I need to re-read that book, one of my all time favourites.
This 10 year old article may be of interest if you are into stuff like that: https://illmatics.com/Remote%20Car%20Hacking.pdf
that's why Intelites are more clever. their "easter eggs" aren't so easy to find... deep in the 2^64-bitspace
NB: Title shortened for length
Wait until they found out about John Deere, Tesla or any other car with eCall.
lets see, a modern bus has, woooooo, conectivity, woooooo, on basicly everything, woooooo, so some manager can obsess over oil filters or the voltage on the lighting circuit, and the sixteen antenas advertised in the broshure were,in fact installed realy, wtf?, it's not like anybody is unaware that something like 10 billion things are conected to the net, and dozens, ? hundreds, of actors are doing there best to slurp up every last scrap of data, ha!, that they can the worst part is that it would be no surprise to find out that the bus comes with a monitering contract that is in effect.
next it will be cranes all sensored up to detect cable stretch or who know what
and didn't china just go ahead and hack the pentagon, but wooooo, Norwiegen bus hacking wooooo
You never know when they might need to send the repo man.
The life of a repo man is always intense.
This is just stupid. All modern vehicles har been fully remote controllable for years.
100% false.
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
>If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
If the internet has all the information and you are on the internet, why don't you know this already?
1 reply →
Can you help me find the mechanism that remotely engages the clutch on my truck?
I fully agree. If these were buses from any other country, this would not be an issue.
Every road vehicle sold today has a sim card, most for diagnostics, some for remote control.
The tests done on the buses showed that they can be stopped as well as otherwise controlled remotely from China. This is way more than diagnostics, and remote control is _not_ something which is common in road vehicles.
Having "a sim card" is less than saying your car "has an on-board computer". In no way does that imply remote control.
Even you admit that most of them aren't for remote control, so what are you agreeing with?
The issue was the eSIMs identified were not disclosed by Yutong, which clearly falls afoul of procurement and cybersecurity regulations.
I wasn't aware of that, thanks. But still, if you go buy a car right now, I doubt they are going to make it a sales pitch that you are not the only one who can control your car.
11 replies →