Weak Authentication in E-Rickshaw Batteries Exposes Cybersecurity Gaps in India
In a recent incident in Delhi, several e-rickshaws stalled mid-road, drawing attention to a cybersecurity vulnerability in their battery management systems (BMS). Reports indicated that unauthorised access was gained via Bluetooth using default or weak credentials, allowing control over battery functions. The Ministry of Electronics and Information Technology (MeitY) acted promptly to remove certain apps from Google and Apple stores, but the underlying issue extends beyond the apps' origin.
The apps in question were diagnostic tools designed for technicians to monitor battery health and perform maintenance. However, the BMS units accepted Bluetooth connections with weak security, enabling unauthorised control. This highlights a critical flaw in authentication and access control, not a problem specific to any country of origin.
Modern battery systems are software-defined and connected, supporting power grids, telecom towers, warehouses, ports, industrial automation, and defence platforms. Vulnerabilities can disrupt operations or disable critical equipment. The e-rickshaw episode is India's first widely visible demonstration of a cyber-physical security challenge from authentication failures.
India has robust cybersecurity institutions, including the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC). However, a coherent strategy for connected battery systems remains missing. CERT-In's guidelines on secure software development and vulnerability disclosure are not binding, and NCIIPC's jurisdiction covers only designated critical infrastructure, excluding many EV and commercial battery systems.
Sectoral regulators like the Central Electricity Authority have addressed battery risks separately, focusing on organisational cybersecurity or functional safety. The Department of Telecommunications and MeitY have introduced security assurance for connected devices, but these do not specifically cover Bluetooth-enabled BMS. Automotive battery regulations such as AIS-156 and AIS-038 address physical safety, while AIS-189 covers cybersecurity but does not extend to most e-rickshaws and two-wheelers.
To ensure the safe adoption of connected battery technologies, India needs a comprehensive framework that integrates cybersecurity requirements across all battery systems, mandates secure authentication, and enforces regular vulnerability assessments. This will protect not only e-rickshaws but also the broader infrastructure relying on these systems.