Bluetooth battery hack: E-rickshaw vulnerability exposes deeper tech issues
Over the last week, social media has been flooded with videos showing individuals using mobile applications such as BAT-BMS, Lossigy, and Epoch-i-ion to wirelessly disable e-rickshaw batteries via Bluetooth. While many shared these videos as 'pranks,' others speculated that the apps were designed for sabotage by Chinese manufacturers. However, the reality is less dramatic but still concerning.
Applications like BAT-BMS are intended for fleet owners and technicians to diagnose battery problems, such as overvoltage or undervoltage, without needing to disassemble the vehicle. These apps communicate with Bluetooth-enabled battery management systems (BMS) common in e-rickshaws. A known vulnerability in BMS modules manufactured by Chinese company Jiabaida—documented on GitHub as early as seven years ago—lacks proper authentication, allowing anyone with the app to connect and disable the battery.
This security flaw has been exploited by pranksters, but the apps themselves are not malicious. They are diagnostic tools that search for specific BMS modules and provide basic functions. The vulnerability lies in the hardware, not the software.
The incident highlights deeper issues in India's e-rickshaw ecosystem. Most components, including batteries and electronics, are imported from China. Local manufacturers assemble the frames but rely heavily on imported parts with little oversight. This creates potential security risks when vulnerable components are widely deployed.
In response to the viral videos, the Indian government directed Google and Apple to remove several battery management apps from their app stores. This approach—restricting access to tools rather than addressing the underlying hardware vulnerabilities—has been criticized as treating the symptom rather than the cause. Similar reasoning was used earlier when Telegram was blocked during exam-related fraud concerns.
Experts argue that a more effective response would be to mandate security standards for imported BMS modules and encourage manufacturers to update firmware or add authentication. Simply removing diagnostic apps may reduce immediate misuse but leaves the fundamental issue unresolved.
As e-rickshaws become more common in Indian cities, ensuring the security of their components is crucial. This incident is a reminder that importing technology without adequate security checks can lead to vulnerabilities that affect public safety.