Recent viral videos showing electric rickshaws and loaders being remotely disabled have spotlighted glaring security flaws in India’s connected EV ecosystem. The root cause: battery management systems with poor authentication that allow unauthorized Bluetooth access through popular diagnostic apps.
- Unauthorized Bluetooth access disables electric rickshaws and loaders.
- Apps like BAT BMS used widely but have insufficient security on BMS units.
- Experts advocate formal security certification for BMS hardware.
What happened
Over the past week, social media has circulated videos depicting electric rickshaws and loaders being remotely disabled by individuals exploiting the Bluetooth-connected battery management systems (BMS). These BMS units, integral to lithium-ion battery packs, are typically monitored via mobile applications such as BAT BMS, Lossigy, and Epoch Li-ion, some of which are of Chinese origin. The apps provide real-time battery data but also, due to weak security settings on budget EV BMS hardware, permit unauthorized commands including remotely cutting off the battery output, rendering vehicles inoperable.
This unauthorized access is not traditional hacking but rather an exploitation of default or absent authentication in the BMS firmware, enabling anyone within a 10-15 meter Bluetooth range to issue critical commands. Drivers and operators of various EV brands have reported disruptions, highlighting a widespread vulnerability rather than isolated incidents.
Why it matters
The security lapse exposes a significant risk to road safety and operational reliability for India’s emerging electric mobility sector. With multiple EV manufacturers sourcing BMS components from generic suppliers, often through online marketplaces like Alibaba, these budget vehicles are inherently tied to hardware with minimal security vetting. The potential for malicious remote shutdowns creates safety hazards for drivers and passengers and undermines consumer trust in EV technology.
Additionally, the issue reflects India’s broader challenge of reliance on imported, often opaque firmware embedded in hardware critical to connected devices. The government’s move to ban affected mobile apps may prevent misuse but also risks disenfranchising legitimate users who depend on these tools for battery health monitoring and control recovery after unauthorized disables.
What to watch next
Consumers and operators should anticipate tighter regulations and improved hardware security in upcoming EV models. Meanwhile, OEMs must conduct thorough due diligence in sourcing BMS components and implementing robust access controls. Monitoring government actions on enforcing app removals and standards development will be critical for understanding the pace at which this security gap can be closed in India’s fast-growing electric vehicle landscape.