Governments are starting to treat Vehicle Cyber as part of base security, not just consumer privacy. Poland’s armed forces have introduced a formal ban on vehicles manufactured in the People’s Republic of China entering protected military facilities, treating Smart Cars as potential collection platforms rather than just transport. The General Staff says the risk sits in the modern vehicle stack, cameras, microphones, GPS, lidar, telematics, and always-on connectivity that can log where a car goes, what it sees, and what it hears. Similar bands are reported in other NATO countries.
Commanders are being told to keep affected cars outside the secure perimeter and organise parking zones beyond restricted areas, so drivers can leave their vehicles before passing inside. The policy also tightens rules for any other vehicle fitted with devices that can record location, video, or audio, with entry allowed only if specified functions are disabled and extra site rules are applied.
The ban is paired with a second measure aimed at a quieter data path, the phone-in-the-car relationship. Polish military personnel are barred from connecting official phones to infotainment systems in China-made vehicles. That matters because modern head units can ingest contacts, call logs, messages metadata, location history, and sometimes even copies of data cached by apps. Chinese brands have been rapidly expanding in the Polish market, especially in EVs and highly connected models, which pushes the security debate from theory into routine base access, contractor visits, deliveries, and staff commuting.
Connected Vehicles Treated Like Untrusted Electronics
Poland is not the first Western state to start drawing physical boundaries around connected vehicles. In the UK, the Ministry of Defence has imposed restrictions at some sensitive sites amid concerns about Chinese components and the data modern EVs can collect. Staff has being told to keep certain vehicles well away from high-security facilities.
The United States has gone further at the market level. The Commerce Department’s Bureau of Industry and Security issued a rule designed to secure connected-vehicle supply chains from Foreign Adversary risks, with phased prohibitions that start with model year 2027 for covered software and expand to certain hardware later. The logic is explicit, connected cars are computers with sensors and networks, which creates both surveillance risk and sabotage risk.
Outside NATO, Israel has also taken a defensive line around China-made EVs in security contexts, with reporting describing restrictions tied to the same underlying worry, rolling sensors plus remote connectivity around sensitive installations.
China Blocks Foreign Electric Cars
Beijing has used similar logic against others. China restricted Tesla cars from entering or parking near certain government and military compounds in 2021, citing camera and data-security concerns. That symmetry matters because it shows the argument is not uniquely Anti-China, it is the natural outcome of rolling sensor platforms into sensitive environments.
Chinese Electric Buses: Remote Control and Fleet Dependence
There are identified security risks associated with Chinese-manufactured electric buses, particularly concerning the potential for remote access, control, and data vulnerability. Investigations in Europe have highlighted that these vehicles, especially those produced by companies like Yutong, contain connected systems that could theoretically be exploited.
Norway’s public transport operator Ruter disclosed cybersecurity testing indicating that Chinese-made Yutong electric buses had remote access paths used for diagnostics and over-the-air updates, and that in theory, this access could be exploited to affect operations. Ruter found that remote deactivation could be prevented if SIM cards in the buses were removed. Transport Minister Jon-Ivar Nygård said that even after the security concerns identified by Ruter, it was not currently planned to take Chinese-made buses out of service.
Denmark’s authorities and operators moved to investigate similar concerns, and the UK has also examined risks in Chinese-made bus fleets in cooperation with cyber officials.
In Finland, Tampere City Transport managing director Kai Honkanen stated in mid-2025 that they were aware of the security discussions surrounding the buses, but at that time, there was no evidence of immediate security risks. A significant portion of buses in use in the Helsinki region could also be susceptible to similar remote tampering. “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in,” told Jeppe Gaard, the chief operating officer for Movia, Denmark’s largest public transport company, according to local media. According to Gaard, the vehicles are equipped with “subsystems with internet connectivity and sensors (cameras, microphones, GPS) that can constitute vulnerabilities which could be exploited to disrupt bus operations.”
According to ABC, there are similar worries in Australia. “The problem is, of course, that if a company is domiciled in China, they obviously come under the lawful direction of the CCP [Chinese Communist Party],” told Alaistair MacGibbon, a former head of the Australian Cyber Security Centre, to ABC.
1. Remote Control & Disabling (Kill Switch Risk)
- The Findings: Security tests, including those conducted by Norway’s public transport operator Ruter, discovered that some Chinese-made electric buses can be accessed remotely through cellular (SIM card) connections intended for software updates and diagnostics.
- Potential Threat: In a controlled test, it was demonstrated that these buses could, in theory, be remotely deactivated or shut down by the manufacturer, potentially leading to widespread public transport disruption.
- Action Taken: Due to these findings, the UK government launched a probe into the potential for a Kill Switch in Chinese-made buses, and Norway and Denmark have implemented tighter security protocols.
2. Data Security & Espionage (Cameras and Sensors)
- Data Handling: While some operators, such as in Norway, found that cameras were not directly connected to the internet, they still identified that the buses send diagnostic data, and potentially other data, to servers, with concerns about whether that information is accessible by Chinese authorities.
- Geopolitical Concerns: Concerns have been raised by Western security officials that, similar to restrictions placed on Huawei and ZTE, these internet-connected “mobile machines” could be used for surveillance or to collect intelligence on critical infrastructure.
- Passenger Privacy: Some analysts have suggested that if passengers use onboard Wi-Fi, there is a risk of data monitoring.
- Vulnerabilities: The core risk stems from “Over-The-Air” (OTA) software update capabilities, which allow the manufacturer direct digital access to the bus’s control systems, including the battery and power management, via mobile networks.
- Mitigation: Transit agencies are taking steps to mitigate these risks by installing firewalls, creating isolated networks, and demanding that all data be stored on local, rather than Chinese, servers.
Yutong has publicly rejected the idea that remote control of safety-critical functions is possible, while acknowledging connectivity for maintenance and updates.
The USB Charger Issue on Buses
The main risk in free USB chargers in Chinese busses is usually not that the bus steals data from the vehicle side, but that a public USB port can be tampered with to target the device you plug in, the classic Juice Jacking scenario. National cyber guidance in the UK advises high-risk individuals to avoid public USB charging points and use a wall plug or their own power bank instead. US authorities have also issued public warnings about public USB charging risks.
- Prefer your own mains charger into a normal plug or use a power bank.
- If you must use USB, use a charge-only cable or a data blocker.
- Keep your phone locked, and do not allow “trust this device” prompts on unfamiliar ports.
Read More:
- Sztab Generalny WP: Nowe wymogi bezpieczeństwa dla pojazdów mechanicznych wyprodukowanych w Chińskiej Republice Ludowej (in Polish)
- Polska Agencja Prasowa (PAP): Nowe wymogi bezpieczeństwa w Polsce. „Chińczykiem” tu nie wjedziesz (in Polish)
- Reuters: Poland bars Chinese-made cars from military sites over data security fears
- Associated Press: Polish army bans Chinese vehicles from military premises
- Financial Times: UK bans EVs from some military bases over Chinese spy fears
- U.S. Department of Commerce, BIS: Commerce Finalizes Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats
- U.S. Department of Commerce, BIS: Connected Vehicles (CV)
- The Guardian: Danish authorities in rush to close security loophole in Chinese electric buses
- Associated Press: Norway transport firm steps up controls after tests show Chinese-made buses can be halted remotely
- YLE: Kiinalainen sähköbussi alkoi toimia oudosti Tampereella (in Finnish)
- MTV Uutiset: Suomeen on ostettu Kiinasta paljon sähköbusseja, joissa on “tappokytkin” – ministeri: Emme ole sinisilmäisiä (in Finnish)
- UK National Cyber Security Centre (NCSC): Guidance for high-risk individuals on protecting your devices and accounts
- Axios: “Juice jacking:” FBI warns against using public charging stations
- Global News: Canada deal on Chinese EVs shows trade ‘trumped security’
- The Times of Israel: IDF swerves away from Chinese cars, driven by worries of spies lurking in everyday tech
- Asia Financial: Concern Rising About ‘Security Loopholes’ in Chinese Buses
- NTB / Aftenposten (via TU.no): Avdekket alvorlig sikkerhetsrisiko – kinesiske elbusser kan stoppes og slås av fra Kina (in Norwegian)
- NTB / Aftenposten (transport minister): Samferdselsministeren: Ikke aktuelt å ta kinesiske busser ut av trafikk
- Cybernews: Denmark investigates security issue in Chinese electric buses