I work in rail safety. Two major non-Chinese train companies attempted to merge a few years ago, explicitly to build a company that could compete with China's national company, and provide safer alternatives to state-sponsored cyberhacking of Western rail.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
The European champion would still be ten times smaller than the Chinese but would have factual monopoly in Europe. I don’t think blocking the merger was entirely unreasonable.
I'm with you on this. I feel like too much boogye-man-ing and FUD is taking place on the basis of "China evil and has giants" in order to justify breaking anti-monopoly laws and allowing our own monopolies to form under this justification, that will only benefit shareholders of those companies but eventually harm European consumers via lack of innovation due to lack of competition, price gouging and the European workers via the inevitable layoffs that follow such mergers.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make them less so, but the contrary.
> Two major non-Chinese train companies attempted to merge
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
So... did the Chinese company put Romanian SIMs in the busses? Or was it an importer that installed those? Are there fleet management features enabled by that connectivity or are they actually secret?
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
Whats sad is Norway sits right next to the country which manufactures Scania and Volvo Busses, but instead buys busses from thousands of km away. I suppose cost is all that maters these days, even for national infrastructure which must remain in control and secure.
Ruter operates in and around Oslo where temperatures higher than average. Anyway some of old (diesel?) buses had broken heating and were heating even if it was warm outside. These are still improvement.
All I can say is that shivers go down my spine what could happen if one of those OEM's that have remote updates possible would get their keys compromised. You could brick hundreds of thousands of vehicles. I would be scared shitless to store those things.
Ah, and they never review iPhones/Android phones after Israeli companies demonstrated they can backdoor any cellphone on this planet, and especially after they demonstrated they can explode consumer devices and maim 3000+ people overnight.
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
>The transport operator stressed there is no evidence of misuse but said the discovery moves concerns “from suspicion to concrete knowledge”. (...) The case comes as Chinese electric buses are increasingly adopted across global markets,
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
I do worry if they are adding this to buses what are they doing to MacBooks and your phone? Do people here think these devices are compromised or should we take Apple’s word for it!?
The biggest concern I have is with cheap PC accessories, wireless routers and smarthome equipment. Also solar power inverters with their online tracking apps. In case of war, all of these would be remotely weaponized, IMHO.
Although TSMC might be able to compromise it, Apple's hardware security is good enough that it is very unlikely that any supplier in China can compromise it. All data outside the SOC is encrypted.
If your transport is accessible remotely, it can be hacked remotely.
This reminds me of that story about Polish Trains. In that case GPS was used to execute a kill code.
https://social.hackerspace.pl/@q3k/111528162462505087
> If these were esims they would be much harder to detect or remove?
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
A local group of security people have been running a weekend project they call Project Lion Cage where they take Chinese cars into a local mine with spectrum analyzers etc. to watch where they send data and so on. This is how the bus was evaluated as well. Tor Indstøy has quite a few posts on his LinkedIn page talking about the work and what they have found.
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
>If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
The tests done on the buses showed that they can be stopped as well as otherwise controlled remotely from China. This is way more than diagnostics, and remote control is _not_ something which is common in road vehicles.
I wasn't aware of that, thanks. But still, if you go buy a car right now, I doubt they are going to make it a sales pitch that you are not the only one who can control your car.
"You can't have busses roaming around with no way to turn them off remotely."
Hm? Not a single bus on the road in my city can be turned off remotely. There's never been one ever, since bus transport started. So why should, no, must, that be a feature of new buses?
I’m pretty sure turning off the bus is something the bus driver can do. It’s not like buses were wildly roaming around before cellular networks were invented…
Do you imagine some benevolent authority sits in your town with a finger on the kill switch for every vehicle in motion?
If it were in the specs from the beginning, there would be no issue. This isn't a "click here to accept" thing; multiple people scan the technical data in these projects.
I work in rail safety. Two major non-Chinese train companies attempted to merge a few years ago, explicitly to build a company that could compete with China's national company, and provide safer alternatives to state-sponsored cyberhacking of Western rail.
It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
The European champion would still be ten times smaller than the Chinese but would have factual monopoly in Europe. I don’t think blocking the merger was entirely unreasonable.
Euro/North American, but still smaller than China's company.
Your second sentence is quite a jump, however: "It won't be as big, so there's no point in trying to compete at all."
I'm with you on this. I feel like too much boogye-man-ing and FUD is taking place on the basis of "China evil and has giants" in order to justify breaking anti-monopoly laws and allowing our own monopolies to form under this justification, that will only benefit shareholders of those companies but eventually harm European consumers via lack of innovation due to lack of competition, price gouging and the European workers via the inevitable layoffs that follow such mergers.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make them less so, but the contrary.
Logistics in war is essential so it’s not a stretch. You can easily extend that line of thought to anything from drones to cars.
Did anyone investigate this person to see if she’s being bought by any “Foreign” Gov’t?
Don't attribute to malice what can adequately be explained by ignorance.
Results matter.
That seems like a cliché happily championed by the malicious.
> Two major non-Chinese train companies attempted to merge
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
[1]https://www.railwaygazette.com/infrastructure/china-railway-...
[2]https://www.politico.eu/newsletter/brussels-playbook/vestage...
Thank you for the details.
> ...acknowledging mistakes made in the past "
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
So... did the Chinese company put Romanian SIMs in the busses? Or was it an importer that installed those? Are there fleet management features enabled by that connectivity or are they actually secret?
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
The fleet management features that lead to the review are documented and were easily disabled.
Good questions!
Whats sad is Norway sits right next to the country which manufactures Scania and Volvo Busses, but instead buys busses from thousands of km away. I suppose cost is all that maters these days, even for national infrastructure which must remain in control and secure.
Surprisingly Norway choose this brand, never had a good ride in one, feels like sitting in a water boiler.
Maybe not so surprising as Norway summer temp averages get into mid 60s F (18C) at the warmest.
Ruter operates in and around Oslo where temperatures higher than average. Anyway some of old (diesel?) buses had broken heating and were heating even if it was warm outside. These are still improvement.
All I can say is that shivers go down my spine what could happen if one of those OEM's that have remote updates possible would get their keys compromised. You could brick hundreds of thousands of vehicles. I would be scared shitless to store those things.
Forget bricking them. How about driving their batteries to overheat? An entire fleet across a city enflamed...
Whatever happened with the Polish trains that had all the backdoors that were discovered?
Ah, and they never review iPhones/Android phones after Israeli companies demonstrated they can backdoor any cellphone on this planet, and especially after they demonstrated they can explode consumer devices and maim 3000+ people overnight.
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
>The transport operator stressed there is no evidence of misuse but said the discovery moves concerns “from suspicion to concrete knowledge”. (...) The case comes as Chinese electric buses are increasingly adopted across global markets,
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
https://uavcoach.com/dji-ban/#7
I do worry if they are adding this to buses what are they doing to MacBooks and your phone? Do people here think these devices are compromised or should we take Apple’s word for it!?
Very much on topic:
- https://www.theregister.com/2021/02/12/supermicro_bloomberg_... - https://www.wired.com/story/gigabyte-motherboard-firmware-ba...
Soooo, yeah.
The biggest concern I have is with cheap PC accessories, wireless routers and smarthome equipment. Also solar power inverters with their online tracking apps. In case of war, all of these would be remotely weaponized, IMHO.
Although TSMC might be able to compromise it, Apple's hardware security is good enough that it is very unlikely that any supplier in China can compromise it. All data outside the SOC is encrypted.
Do you seriously think Apple wouldn’t notice? They’re probably one of the most hated companies in the world, millions are itching to see them fail.
So where will they get Mac’s or iPhones made if they found out there was some shenanigans going on?
Of course they're compromised, by Apple, to comply with UK law.
Well only in the UK, if you have the -banned in the UK- ADP on as far as people know it’s not compromised
If your transport is accessible remotely, it can be hacked remotely. This reminds me of that story about Polish Trains. In that case GPS was used to execute a kill code. https://social.hackerspace.pl/@q3k/111528162462505087
This 10 year old article may be of interest if you are into stuff like that: https://illmatics.com/Remote%20Car%20Hacking.pdf
If these were esims they would be much harder to detect or remove?
BYD electric busses have recently rolled out where I live in Sweden.
> If these were esims they would be much harder to detect or remove?
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
A local group of security people have been running a weekend project they call Project Lion Cage where they take Chinese cars into a local mine with spectrum analyzers etc. to watch where they send data and so on. This is how the bus was evaluated as well. Tor Indstøy has quite a few posts on his LinkedIn page talking about the work and what they have found.
Press release (Norwegian): https://www.mynewsdesk.com/no/ruter/pressreleases/ruter-tar-...
Related out of Denmark:
Danish authorities in rush to close security loophole in Chinese electric buses
https://www.theguardian.com/world/2025/nov/05/danish-authori...
that's why Intelites are more clever. their "easter eggs" aren't so easy to find... deep in the 2^64-bitspace
You never know when they might need to send the repo man.
The life of a repo man is always intense.
NB: Title shortened for length
This is just stupid. All modern vehicles har been fully remote controllable for years.
100% false.
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
>If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
If the internet has all the information and you are on the internet, why don't you know this already?
What on Earth are you rambling about now?
I fully agree. If these were buses from any other country, this would not be an issue.
Every road vehicle sold today has a sim card, most for diagnostics, some for remote control.
The tests done on the buses showed that they can be stopped as well as otherwise controlled remotely from China. This is way more than diagnostics, and remote control is _not_ something which is common in road vehicles.
Having "a sim card" is less than saying your car "has an on-board computer". In no way does that imply remote control.
Even you admit that most of them aren't for remote control, so what are you agreeing with?
The issue was the eSIMs identified were not disclosed by Yutong, which clearly falls afoul of procurement and cybersecurity regulations.
I wasn't aware of that, thanks. But still, if you go buy a car right now, I doubt they are going to make it a sales pitch that you are not the only one who can control your car.
This is why we invented the fine print.
Not putting this information in the fine print is fraudulent behaviour
It was most likely in the specs from the beginning. You can't have busses roaming around with no way to turn them off remotely.
"You can't have busses roaming around with no way to turn them off remotely."
Hm? Not a single bus on the road in my city can be turned off remotely. There's never been one ever, since bus transport started. So why should, no, must, that be a feature of new buses?
I’m pretty sure turning off the bus is something the bus driver can do. It’s not like buses were wildly roaming around before cellular networks were invented…
What? That's the way it's always been.
Do you imagine some benevolent authority sits in your town with a finger on the kill switch for every vehicle in motion?
If it were in the specs from the beginning, there would be no issue. This isn't a "click here to accept" thing; multiple people scan the technical data in these projects.
Yes, those wild buses on the loose have been a major problem
Can't you? And who should have that power? I believe that this is the concern.