I wonder how this procurement was done, and who was responsible. Obviously, they never really checked the buses for security issues, or they where wrongly informed. How much will this investigation and updates cost, and would with hindsight, a different choice have been better and cheaper? If so, someone in procurement has been swayed, bought-off or was very misguided.
this post was submitted on 05 Nov 2025
92 points (100.0% liked)
Europe
7680 readers
620 users here now
News and information from Europe πͺπΊ
(Current banner: La Mancha, Spain. Feel free to post submissions for banner images.)
Rules (2024-08-30)
- This is an English-language community. Comments should be in English. Posts can link to non-English news sources when providing a full-text translation in the post description. Automated translations are fine, as long as they don't overly distort the content.
- No links to misinformation or commercial advertising. When you post outdated/historic articles, add the year of publication to the post title. Infographics must include a source and a year of creation; if possible, also provide a link to the source.
- Be kind to each other, and argue in good faith. Don't post direct insults nor disrespectful and condescending comments. Don't troll nor incite hatred. Don't look for novel argumentation strategies at Wikipedia's List of fallacies.
- No bigotry, sexism, racism, antisemitism, islamophobia, dehumanization of minorities, or glorification of National Socialism. We follow German law; don't question the statehood of Israel.
- Be the signal, not the noise: Strive to post insightful comments. Add "/s" when you're being sarcastic (and don't use it to break rule no. 3).
- If you link to paywalled information, please provide also a link to a freely available archived version. Alternatively, try to find a different source.
- Light-hearted content, memes, and posts about your European everyday belong in other communities.
- Don't evade bans. If we notice ban evasion, that will result in a permanent ban for all the accounts we can associate with you.
- No posts linking to speculative reporting about ongoing events with unclear backgrounds. Please wait at least 12 hours. (E.g., do not post breathless reporting on an ongoing terror attack.)
- Always provide context with posts: Don't post uncontextualized images or videos, and don't start discussions without giving some context first.
(This list may get expanded as necessary.)
Posts that link to the following sources will be removed
- on any topic: Al Mayadeen, brusselssignal:eu, citjourno:com, europesays:com, Breitbart, Daily Caller, Fox, GB News, geo-trends:eu, news-pravda:com, OAN, RT, sociable:co, any AI slop sites (when in doubt please look for a credible imprint/about page), change:org (for privacy reasons)
- on Middle-East topics: Al Jazeera
- on Hungary: Euronews
Unless they're the only sources, please also avoid The Sun, Daily Mail, any "thinktank" type organization, and non-Lemmy social media (incl. Substack). Don't link to Twitter directly, instead use xcancel.com. For Reddit, use old:reddit:com
(Lists may get expanded as necessary.)
Ban lengths, etc.
We will use some leeway to decide whether to remove a comment.
If need be, there are also bans: 3 days for lighter offenses, 7 or 14 days for bigger offenses, and permanent bans for people who don't show any willingness to participate productively. If we think the ban reason is obvious, we may not specifically write to you.
If you want to protest a removal or ban, feel free to write privately to the primary mod account @EuroMod@feddit.org
founded 1 year ago
MODERATORS
92
Danish authorities in rush to close security loophole in Chinese electric buses
(www.theguardian.com)
Online updates and remote diagnostics are usually an advertised feature and might even have been a selling argument as it appears to save costs in maintenance... until the Polish vendor turns off their trains because the operator dared to try to repair them themselves (yes that is not a "Chinese" problem).
about the polish case.
"Digging into the code revealed a software trap that would disable trains if they were anywhere near a repair facility that wasnβt run by the manufacturer, Newag. But Newag used a pretty inaccurate way to determine when the trains were in a rival repair shop, which led to some unexpected consequences."
I don't think this is what the problem with the buses are about. Ofcourse, on the fly update and remote features are probably more advanced. But if a third party (country) has 100% control, that means you don't have any.
No, this is not a 'Chinese' problem, but as a European I would rather have this problem with a European supplier than with a Chinese supplier for having control over the trains on the continent (or my car, or any technology).
I don't see how that makes a big difference. As the Polish example clearly shows, the laws right now are inadequate to deal with this and it took 3rd party hackers to reverse-engineer it after the company extorted significant amounts of money from the operator to re-enable the trains. And the icing on the cake is that now these hackers are in court, not the company.
And from an IT security perspective, it doesn't matter much to an attacker if the remote operated backdoor to shut down these busses is put there by a Chinese or European company (which would likely be using Chinese tech for that anyways).
it doesnβt matter much to an attacker if the remote operated backdoor to shut down these busses is put there by a Chinese or
It does matter, one major reason being that the European supplier operates under European jurisdictions and is easier to be held accountable.
European company (which would likely be using Chinese tech for that anyways).
Wherever that's the case, it must apparently be changed, one major reason being national security (the same reason why China is blocking European and other non-Chinese vendors in its domestic markets, btw).
[Edit typo.]
Accountable based on what laws? The real issue is that these things are perfectly legal regardless of who does it and that there is also almost no way to hold a supplier accountable for software security breaches (besides the fact that it is too late then anyways).
Accountable based on what laws?
On the laws we have in European democracies that can be changed and adapted as needed (unlike in China, where this can't be done).
Ok so you agree that there is a need to make laws here in Europe about it and subject any supplier to them regardless of where their HQ is located? No need to answer that π
In principle I'd agree, but I have a nitpick: The laws must say that those that built infrastructure must be European countries with their HQ in Europe (not foreign-owned subsidiaries with European HQ).
That would be likely incompatible with WTO agreements and usually leads to local quasi monopolists charging absurd prices to government run service providers. And it wouldn't solve the likely issue of European companies buying the needed software and hardware from abroad anyway.
Do you have anything that fosters your statements?
That aside, China has been doing exactly that for decades, and this practice has intensified in recent years and even months.
Europe isn't China. It would be pointless to turn Europe into a quasi-China to prevent Chinese influence on Europe. Just like it is pointless to create European tech giants as a counter to US American ones.
What does that mean? And what has it to do with the linked report and what I said? This makes no sense.
The way it was done in this case was by ITT offers.
The company Movia, which is owned by the public municipalities and regions, put out a request for busses, including the requirements.
Once the request is out there, they usually do have to accept the cheapest offer that fulfills the requirements, unless there are special situations.
So, the requirements probably didn't account for this remote controlled thing. Responsibility should by placed at the board of the company.
It would be interesting to read the original request. The terms are usually quite strict, which can also be a problem, for instance if nobody can fulfill them or if the requirements are too specific so only one company can make an offer etc.
Maybe they're more lax in the company than if it had been a direct purchase from the municipality. It's quite unusual to see any Chinese suppliers for this sort of thing, because they don't pay their employees enough. It's standard terms in all public purchases that suppliers must have employment terms on level with local Danish union workers in the same sectors.
Just another reminder of why it's not a good idea to privatize public infrastructure..
So, the requirements probably didn't account for this remote controlled thing.
Probably, something like this. But if there was a procurement interview with a Q&A it should've been discussed, imo. I wonder if the tech people got a say.
Oh they were warned from the defence department a few years ago. It's been an ongoing process since 2019. Other politicians also made an inquiry about how much it would cost to choose European suppliers in July this year, which showed that equivalent busses from Europe would cost up to 36 million dkk more and that European companies couldn't actually deliver. At least we know what the savings were, so the question is just what the fix will cost..
I wouldn't be surprised if the current news is more about the upcoming election than anything. The city busses aren't that critical in Copenhagen. They have have trains, trams and metros too and everything is in bicycle distance, so shutting down the busses would be a minor inconvenience to most people. It's not really a serious threat. Also, there really isn't a threat. It's only a potential in worst case scenario fan fiction.
Over the air updates and remote diagnostics are both things that are sold as features and are often even requested by the transportation companies.
To be honest I am a bit surprised that they are surprised this exists.
To be completely honest: there are even ECE regulations regarding software updates over the air.
This is nothing new and nothing special. Almost all vehicles these days are connected to their manufacturer.
Also regarding deactivating this βfeatureβ. It is usually quite simple, just unplug the connectivity ECU.
To be honest I am a bit surprised that they are surprised this exists.
Guess they didn't request this feature. Not this way at least
must be hard to whitelist their own system, and blacklist outside data