
A Bluetooth vulnerability in budget EV battery management systems allowed remote shutdown of e-rickshaws. The government ordered app takedowns, but experts warn of deeper supply-chain security gaps affecting 20 lakh vehicles.
Over the past week, social media filled with videos of people using mobile apps to remotely disable electric rickshaws and loaders. The pranksters left drivers stranded and disrupted trips. The incidents exposed a vulnerability in battery management systems (BMS) that power many of India's budget electric vehicles.
The BMS in these vehicles communicates over Bluetooth through apps such as BAT BMS, Lossigy and Epoch Li-ion, some of Chinese origin. A BMS is the embedded controller inside a lithium-ion battery pack that monitors charge levels, voltage and temperature while preventing overcharging. The systems installed in budget EVs lack adequate authentication, experts said. Anyone within 10 to 15 metres can connect to the BMS using the same apps and, depending on the configuration, disable the battery output.
“The vulnerability isn’t in the app itself, which is a legitimate diagnostic tool; it’s in how battery vendors skipped access control on the BMS firmware,” said Ankush Tiwari, founder and CEO of cybersecurity intelligence provider pi-labs.
Inc42 independently verified that vehicles from Yatri, Mayuri, Vande Bharat and City Life could be controlled using these apps. Drivers of five-wheeler electric loaders reported similar incidents, suggesting the problem extends beyond e-rickshaws. Queries sent to the OEMs did not receive responses.
A GitHub post published several years earlier had already highlighted weak authentication in some of these apps and demonstrated how protections could be bypassed. “It is clear that these manufacturers didn’t do any due diligence before importing these batteries or distributing the app,” said Karan Saini, a cybersecurity analyst and ethical hacker. “Many of these components are easily available on platforms like Alibaba, where several OEMs source from. This is a road safety issue, and banning the apps is not the solution.”
The government directed Google and Apple to take down at least seven such apps. Saini criticised the move, saying it could worsen the situation by preventing legitimate drivers from monitoring battery health or regaining control if another device had already disabled their BMS.
MeitY has launched an investigation. Tiwari said a stronger approach would be a certification requirement for BMS units sold in the Indian EV market, similar to type approval for telecom equipment, rather than chasing individual bad actors.
IDfy principal product manager Nikhil Jhanji said the vulnerability is not limited to specific manufacturers. Any OEM using insecure BMS components, imported battery packs, weak Bluetooth pairing or default credentials could be exposed. He said the risk is highest where BMS allows open Bluetooth discovery and control through a generic companion app. Secure pairing and authentication reduce the risk.
The episode also highlighted gaps in India's vehicle cybersecurity framework. The country introduced AIS-189, which mandates a certified Cybersecurity Management System for new vehicle models from October 2025. Experts said the framework places primary responsibility on OEMs, leaving oversight of third-party hardware and embedded software unclear, especially when components are imported.
Data privacy adds another dimension. Many BMS apps access GPS location, driver behaviour, vehicle usage patterns and operational logs. It is often unclear where this data is stored or who can access it. “Battery health monitoring may sound purely technical, combined with GPS and user identifiers it can reveal where a person works, how long they operate, where they travel, their income patterns, and their daily routine,” Jhanji said. “That places it squarely in the realm of data protection.”
The Digital Personal Data Protection Act requires security safeguards and consent mechanisms. Tiwari said enforcement in the budget EV battery vendor space is largely untested.
Experts said the issue is not limited to EVs. The same concerns extend to imported and white-labelled IoT devices, from smart lights to connected home appliances. Many rely on mobile apps with opaque ownership and weak access controls. Anonymous cybersecurity expert said, “Indians don’t take their personal data protection seriously until a breach or fraud happens, and then the most convenient response is to point fingers.”
The weakest link is now the software layer connecting users, devices and component vendors. The security of a device often depends on its least secure third-party component. India has an estimated 20 lakh e-rickshaws on the road, only about half of which are registered. Saini said OEMs should be held accountable for exposing drivers and passengers to vulnerabilities. “We can no longer keep importing parts and welding them together without a robust governance framework.”
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.