Bluetooth App Exploit Reveals Cybersecurity Gaps in India's E-Rickshaws
In recent weeks, reports of e-rickshaws being remotely disabled via smartphone apps have raised serious concerns about cybersecurity in India's growing electric vehicle fleet. The incidents, which first came to light in Delhi, involve the use of Bluetooth-based battery management applications to cut power to moving vehicles, stranding drivers and passengers.
The Ministry of Electronics and Information Technology (MeitY) has directed Google and Apple to remove several battery management applications from their stores, including BAT-BMS, Lossigy and Epoch i-ion, pending a review of their cybersecurity risks. The Delhi transport department has also launched an investigation, and police in cities like Ujjain have registered cases where alleged miscreants used such apps to disable vehicles and demand money for restoration.
At the centre of the issue is the Battery Management System (BMS), a standard component in lithium-ion batteries that monitors parameters like voltage, temperature and charge cycles. Some BMS units allow users to enable or disable battery discharge as a maintenance feature. The BAT-BMS app, developed by Shenzhen Grenergy Technology, was designed for such legitimate monitoring. However, security flaws in the system have made these controls accessible to unauthorised users.
Certified ethical hacker Abdultaiyeb Chechatwala told The Times of India that the problem lies not in the app itself but in the underlying design of the BMS. According to him, many low-cost battery manufacturers use generic software from third-party vendors that lacks robust encryption and authentication. This allows anyone with the app and Bluetooth range to send commands to the battery, effectively shutting down the vehicle remotely.
Experts emphasise that this is not an isolated app problem but a broader cybersecurity vulnerability affecting thousands of e-rickshaws, particularly those using inexpensive or unbranded batteries. The risk extends beyond e-rickshaws to any vehicle or device that relies on such insecure BMS units. While modern electric cars often have more secure systems, the incident highlights a critical oversight in the rapid expansion of electric mobility.
Cybersecurity researchers warn that the exploitation of such vulnerabilities could have serious consequences for road safety. A vehicle stopping without warning in heavy traffic could cause accidents. The human cost is also evident: drivers lose income and face unexpected expenses, while some have been extorted by those wielding the app.
The government's swift action in calling for app removals is a first step, but experts argue that regulatory standards for battery security are needed. Without mandatory encryption and authentication in BMS software, similar exploits may reappear under different app names. The incident serves as a reminder that as India transitions to electric vehicles, cybersecurity must be integrated into the design and certification process.