Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws One morning in Delhi, an e-rickshaw driver suddenly found his vehicle stranded in the middle of a busy road. There was no warning light, no smoke, no mechanical failure. The vehicle had simply stopped moving.Assuming it was a technical fault, he pushed it to a nearby mechanic. What followed surprised him. The mechanic opened a mobile application, tapped a few buttons, and the rickshaw came back to life within minutes. Watch India’s E-Rickshaw Boom And The Hidden BAT-BMS Safety RiskBut the relief did not last.According to the driver’s account shared with news agency IANS, the same issue happened again while he was carrying passengers. Each time, the vehicle stopped without warning, and each time he lost earnings and had to pay to get it restarted.What initially looked like an isolated malfunction has now grown into a nationwide cybersecurity concern involving electric mobility, public safety, and digital security gaps in everyday transport.Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws.Following these reports, the ministry of electronics and information technology (MeitY) directed Google and Apple to remove several battery management applications, including BAT-BMS, Lossigy and Epoch i-ion, while reviewing their cybersecurity risks.At first glance, it appears to be a rogue app problem. But experts say the real issue runs deeper: insecure battery systems inside thousands of low-cost electric vehicles.Why did the government step in?The controversy escalated after videos showed people scanning nearby e-rickshaws and switching off their batteries mid-ride using Bluetooth-based apps.Drivers were often left stranded without understanding what had happened. In many cases, they assumed a mechanical fault and paid mechanics to restart the vehicle, only to later learn that the battery had been digitally switched off.Following these incidents, MeitY ordered app removals and began investigating cybersecurity implications.The Delhi transport department has also launched a probe, while police in cities like Ujjain have registered cases where miscreants allegedly disabled vehicles and demanded money to restore them.Officials have clarified that the concern is not limited to one app, but whether connected vehicle systems can be exploited in the first place.BAT-BMS isn’t really the problemCybersecurity experts caution against focusing only on the app.The BAT-BMS application was originally developed by Shenzhen Grenergy Technology for monitoring lithium-ion batteries. It allows users to track voltage, temperature, current flow, charging cycles and battery health. It also includes maintenance features such as enabling or disabling battery discharge.The controversy arises when such controls become accessible to unauthorised users.Certified ethical hacker Abdultaiyeb Chechatwala told TOI that the issue lies in the system design, not the app itself.“The problem is not the name of the app. It is the logic behind how the Battery Management System accepts commands,” he said.According to Chechatwala, several low-cost battery manufacturers use generic software supplied by third-party vendors that lacks robust encryption and authentication. If the BMS accepts commands from any nearby device without verifying identity, almost any compatible application could potentially communicate with it.He says manufacturers should have implemented encryption, secure key exchange and proper authentication so that only authorised users could access battery controls.”Without these safeguards, anyone within communication range who understands the protocol may attempt to interact with the system,” he said.This means removing one app does not eliminate the vulnerability.What exactly is a Battery Management System?Every lithium-ion battery pack contains an electronic controller known as a Battery Management System, or BMS.Although largely invisible to users, it performs one of the most critical roles inside an electric vehicle. It constantly monitors battery voltage, temperature, charging speed, cell balance and overall health. If unsafe conditions develop, the system can disconnect the battery to prevent overheating, overcharging or permanent damage.Without a Battery Management System, modern lithium-ion batteries would be significantly less reliable and considerably less safe.Many manufacturers also enable Bluetooth connectivity so technicians—or sometimes vehicle owners—can monitor battery performance through a smartphone application instead of using specialised equipment.That convenience, however, introduces a new cybersecurity challenge.If the wireless connection lacks proper password protection, encryption or secure authentication, almost anyone standing nearby may be able to communicate with the battery.In vulnerable systems, that communication extends beyond simply viewing battery information.It may also include maintenance functions such as enabling or disabling battery discharge—the very feature now at the centre of the controversy.How can an e-rickshaw be switched off remotely?Contrary to viral claims online, nobody is “hacking” an e-rickshaw from kilometres away.The attacks reported so far rely on Bluetooth, meaning the person attempting to access the battery must remain physically close to the vehicle—typically within about 10 to 20 metres.The process is relatively straightforward on unsecured systems.When an e-rickshaw fitted with a vulnerable Bluetooth-enabled battery comes within range, the application scans for nearby Battery Management Systems.If the battery does not require authentication—or continues to use factory-default credentials—the application can establish a connection.Once connected, the user can access maintenance controls built into the BMS itself.One such maintenance function is controlling the battery’s discharge — essentially deciding whether the battery should supply power to the vehicle.That feature exists for legitimate servicing purposes.The problem begins when the same function becomes accessible to anyone nearby.How does an app stop an e-rickshaw?Apps such as BAT-BMS, Lossigy and Epoch i-ion could connect to certain unsecured battery systems because many low-cost battery manufacturers either left Bluetooth connections without passwords or relied on easily accessible factory-default credentials.Once connected, a user could simply disable battery discharge.The moment discharge is disabled, electrical power flowing from the battery to the motor stops.Although the battery itself remains physically intact, the vehicle immediately loses power and comes to a halt.Because the BMS, not the ignition key, has disconnected the battery, restarting the vehicle becomes impossible until someone reconnects to the battery and re-enables the discharge function.For drivers unfamiliar with the technology, the vehicle appears to have suffered a mysterious mechanical failure.That confusion has reportedly allowed some people to exploit stranded drivers by charging money simply to reconnect the battery through the same application.Not every electric vehicle is vulnerableOne misconception that quickly spread after the controversy was that any electric vehicle could now be remotely switched off.That is simply not true.The vulnerability exists only when several conditions are present simultaneously. The vehicle must use a Bluetooth-enabled lithium-ion battery, the BMS must permit wireless access, and adequate authentication or encryption must be absent.Many e-rickshaws in India still operate on lead-acid batteries, which do not include Bluetooth-enabled Battery Management Systems at all.Similarly, newer lithium-ion battery packs equipped with strong passwords, encrypted communication or manufacturer-specific software cannot typically be accessed through generic applications.Established manufacturers generally incorporate multiple cybersecurity layers separating the battery management system from the vehicle’s core electronic controls.These systems also use encrypted communication and proprietary software architectures, making unauthorised access significantly more difficult.The controversy therefore does not expose a weakness across every electric vehicle. Instead, it highlights the cybersecurity risks associated with low-cost connected devices that prioritise affordability over digital security.The human cost behind a “prank”For many, what appeared online as a prank has had real-world consequences.E-rickshaws are often the primary source of income for drivers and their families.One driver told IANS that his vehicle stopped working mid-journey and had to be pushed to a mechanic. He later learned the battery had been switched off digitally and paid around Rs 300 to restore it.In another case documented by social media influencer Amaan Siddiqui, a driver lost an entire day’s income after his vehicle remained disabled for hours.“He broke down and told me that he had lost an entire day’s earning,” Siddiqui said, as quoted by news agency ANI.For daily wage workers, even a few hours of downtime can mean missed rent payments or household expenses.When a cyber issue becomes a road safety riskThe problem extends well beyond financial losses.Imagine an e-rickshaw suddenly losing power while crossing a busy intersection, negotiating heavy traffic or carrying elderly passengers.Although most reported incidents have ended without major injuries, cybersecurity experts warn that remotely disabling vehicles in motion creates obvious road safety risks.The government appears to share those concerns.Alongside removing the applications from app stores, authorities have begun examining cybersecurity safeguards used in battery-powered vehicles.Officials are also assessing whether similar vulnerabilities may exist in other connected transport systems.Could this happen to electric cars too?The controversy has inevitably raised a bigger question.If an e-rickshaw can be remotely disabled, could hackers eventually target electric cars?At present, experts say the answer is not in the same way.Most passenger electric vehicles use significantly more sophisticated battery management systems with multiple layers of cybersecurity.Communication between battery systems and vehicle electronics is typically encrypted, authenticated and integrated into secure vehicle networks.Generic Bluetooth applications cannot simply connect to these systems.However, cybersecurity researchers caution against complacency.Chechatwala notes that modern connected devices increasingly depend on wireless communication technologies including Bluetooth, Wi-Fi and radio-frequency systems.Where security is poorly designed, attackers may attempt replay attacks, relay attacks or protocol manipulation using specialised equipment.”The lesson is that every connected device—whether it is an e-rickshaw battery, a drone, a smart appliance or a connected vehicle—must be designed with security built in from the beginning,” he said.”As more physical devices become digitally connected, the attack surface also grows.”The government has similarly indicated that its review extends beyond e-rickshaws to examine safety protocols across increasingly software-driven vehicles.Why cybersecurity experts aren’t surprisedThe vulnerabilities exposed in India’s e-rickshaw ecosystem reflect concerns that researchers have been raising for years.A recent peer-reviewed paper published in IEEE Access, titled Battery Management System: Threat Modelling, Vulnerability Analysis, and Cybersecurity Strategy, argues that as Battery Management Systems become more connected, they also become more attractive targets for cyberattacks.The study identifies numerous attack methods capable of disrupting battery systems, including malware injection, sensor manipulation, electromagnetic interference, jamming attacks and unauthorised wireless access.Researchers warn that successful attacks could trigger false alarms, disable safety mechanisms, interfere with battery operation or even create hazardous failures if adequate safeguards are absent.The paper recommends several protective measures that many cybersecurity specialists have long advocated, including encrypted communication, strong authentication, secure firmware updates, intrusion detection systems and hardware-based security features that prevent unauthorised access.Its broader conclusion is straightforward: battery cybersecurity can no longer be treated as an optional feature. As vehicles become increasingly connected, digital security becomes an essential part of physical safety.A national security concern, not just a software bugThe controversy has also opened a wider debate about India’s digital infrastructure.Thousands of low-cost lithium-ion batteries used across the country rely on imported electronic components and software supplied by overseas manufacturers.Many of these systems were designed primarily for affordability and ease of maintenance rather than cybersecurity.That raises uncomfortable questions.Who controls the software inside these batteries?Who audits their security?Could similar vulnerabilities exist in larger fleets of connected vehicles or critical infrastructure?The current incidents appear to involve local misuse of unsecured Bluetooth connections rather than remote foreign interference. There is no public evidence that the affected apps were designed for malicious purposes.Nevertheless, cybersecurity experts argue that the episode demonstrates how weak security in imported connected devices can create vulnerabilities that extend beyond individual consumers.As India rapidly expands its electric mobility ecosystem, ensuring that connected hardware meets minimum cybersecurity standards may become as important as meeting mechanical or electrical safety norms.More than an app problemThe BAT-BMS controversy is easy to dismiss as another viral internet prank.In reality, it exposes something far more significant.A software vulnerability capable of stopping a working person’s livelihood with a single tap is not merely a technological glitch. It highlights how digital systems increasingly control physical infrastructure that millions depend upon every day.Removing a handful of applications from app stores may reduce immediate misuse, but it does not automatically secure the vulnerable battery systems already operating on Indian roads.Ultimately, the lesson extends far beyond e-rickshaws.As vehicles, appliances and public infrastructure become smarter and more connected, cybersecurity is no longer just about protecting data. It is about protecting lives, livelihoods and public trust.PollVote & Share your viewDo you think the recent e-rickshaw battery incidents reflect broader cybersecurity issues in electric vehicles?Yes, definitelyNo, it’s an isolated case3k+ users shared opinion today 5k+ users already voted today 3k+ users shared opinion today Share OpinionThe real challenge is ensuring that the technologies powering India’s digital future are designed to be secure before they become indispensable.Get the latest India news and live updates. Download the TOI App.End of ArticleFollow Us On Social MediaVideosPM Modi’s Indonesia Visit : BrahMos, Astra Missiles, Critical Minerals And Big OutcomesUnpublished ARAI Study Flags E20 Compatibility Issues In Older VehiclesMumbai-Pune Expressway: 4 Reasons The New Corridor Failed Its First Monsoon TestRam Temple Row Escalates As Akhilesh Yadav Warns Nishikant Dubey Of FIR Over Social Media PostIndian Diplomat Protests Incorrect Map Depicting J&K As Part Of Pakistan At Dhaka SeminarOwaisi Says Amit Shah ‘Doesn’t Do Things Casually’, Claims Meeting Points to NRC RolloutRam Mandir Trust Meeting: Champat Rai’s Resignation Accepted, Donated Items Put On DisplayPM Modi Praises BJP Chief Nitin Nabin After Kejriwal’s ‘Who Are You’ Remark | WatchBaruipur Rape Horror: Mamata Leads Protest, CM Suvendu Vows to Ensure Death PenaltyRam Mandir Trust Chief Demands Strict Action As Donation Probe Intensifies Further123Photostories7 grasslands and plateaus in Maharashtra that become magical during monsoonPsychology explains reasons behind some faces that seem more attractive than othersAncient hair oil remedies to prevent grey hair: 5 nourishing mixtures worth tryingMost expensive houses in India: Inside the country’s costliest residential propertiesWhy people don’t intervene during emergencies: The psychology of the bystander effect“I’m great at my job but neglect my personal life”: Why this creator’s video is striking a chord with many working women in their 30sRush over discounted Pointed Gourd (Parwal) in New Jersey: 8 traditional desi ways to enjoy it during summer season5 simple ways to make meditation a daily habitNational parks you can visit using Vande Bharat trains without taking a flight: India’s best wildlife getaways by railFrom a lush garden to vibrant interiors: Inside Anupamaa fame Rupali Ganguly’s nature-inspired Mumbai home123Hot PicksArgentina vs EgyptPM Modi Indonesia VisitWayanad LandslideSuryakumar yadavMumbai school holidayShapoor ZadranErling HaalandMumbai schools holidayMumbai-Pune expresswayTop TrendingIran-US WarMumbai FloodsBengal Rape CaseFIFA World Cup 2026CBSE Class 10 ResultRam temple donationMumbai rainStock Market TodayMumbai Rain DeathKCET mock seat allotment

Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws One morning in Delhi, an e-rickshaw driver suddenly found his vehicle stranded in the middle of a busy road. There was no warning light, no smoke, no mechanical failure. The vehicle had simply stopped moving.Assuming it was a technical fault, he pushed it to a nearby mechanic. What followed surprised him. The mechanic opened a mobile application, tapped a few buttons, and the rickshaw came back to life within minutes.  Watch India’s E-Rickshaw Boom And The Hidden BAT-BMS Safety RiskBut the relief did not last.According to the driver’s account shared with news agency IANS, the same issue happened again while he was carrying passengers. Each time, the vehicle stopped without warning, and each time he lost earnings and had to pay to get it restarted.What initially looked like an isolated malfunction has now grown into a nationwide cybersecurity concern involving electric mobility, public safety, and digital security gaps in everyday transport.Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws.Following these reports, the ministry of electronics and information technology (MeitY) directed Google and Apple to remove several battery management applications, including BAT-BMS, Lossigy and Epoch i-ion, while reviewing their cybersecurity risks.At first glance, it appears to be a rogue app problem. But experts say the real issue runs deeper: insecure battery systems inside thousands of low-cost electric vehicles.Why did the government step in?The controversy escalated after videos showed people scanning nearby e-rickshaws and switching off their batteries mid-ride using Bluetooth-based apps.Drivers were often left stranded without understanding what had happened. In many cases, they assumed a mechanical fault and paid mechanics to restart the vehicle, only to later learn that the battery had been digitally switched off.Following these incidents, MeitY ordered app removals and began investigating cybersecurity implications.The Delhi transport department has also launched a probe, while police in cities like Ujjain have registered cases where miscreants allegedly disabled vehicles and demanded money to restore them.Officials have clarified that the concern is not limited to one app, but whether connected vehicle systems can be exploited in the first place.BAT-BMS isn’t really the problemCybersecurity experts caution against focusing only on the app.The BAT-BMS application was originally developed by Shenzhen Grenergy Technology for monitoring lithium-ion batteries. It allows users to track voltage, temperature, current flow, charging cycles and battery health. It also includes maintenance features such as enabling or disabling battery discharge.The controversy arises when such controls become accessible to unauthorised users.Certified ethical hacker Abdultaiyeb Chechatwala told TOI that the issue lies in the system design, not the app itself.“The problem is not the name of the app. It is the logic behind how the Battery Management System accepts commands,” he said.According to Chechatwala, several low-cost battery manufacturers use generic software supplied by third-party vendors that lacks robust encryption and authentication. If the BMS accepts commands from any nearby device without verifying identity, almost any compatible application could potentially communicate with it.He says manufacturers should have implemented encryption, secure key exchange and proper authentication so that only authorised users could access battery controls.”Without these safeguards, anyone within communication range who understands the protocol may attempt to interact with the system,” he said.This means removing one app does not eliminate the vulnerability.What exactly is a Battery Management System?Every lithium-ion battery pack contains an electronic controller known as a Battery Management System, or BMS.Although largely invisible to users, it performs one of the most critical roles inside an electric vehicle. It constantly monitors battery voltage, temperature, charging speed, cell balance and overall health. If unsafe conditions develop, the system can disconnect the battery to prevent overheating, overcharging or permanent damage.Without a Battery Management System, modern lithium-ion batteries would be significantly less reliable and considerably less safe.Many manufacturers also enable Bluetooth connectivity so technicians—or sometimes vehicle owners—can monitor battery performance through a smartphone application instead of using specialised equipment.That convenience, however, introduces a new cybersecurity challenge.If the wireless connection lacks proper password protection, encryption or secure authentication, almost anyone standing nearby may be able to communicate with the battery.In vulnerable systems, that communication extends beyond simply viewing battery information.It may also include maintenance functions such as enabling or disabling battery discharge—the very feature now at the centre of the controversy.How can an e-rickshaw be switched off remotely?Contrary to viral claims online, nobody is “hacking” an e-rickshaw from kilometres away.The attacks reported so far rely on Bluetooth, meaning the person attempting to access the battery must remain physically close to the vehicle—typically within about 10 to 20 metres.The process is relatively straightforward on unsecured systems.When an e-rickshaw fitted with a vulnerable Bluetooth-enabled battery comes within range, the application scans for nearby Battery Management Systems.If the battery does not require authentication—or continues to use factory-default credentials—the application can establish a connection.Once connected, the user can access maintenance controls built into the BMS itself.One such maintenance function is controlling the battery’s discharge — essentially deciding whether the battery should supply power to the vehicle.That feature exists for legitimate servicing purposes.The problem begins when the same function becomes accessible to anyone nearby.How does an app stop an e-rickshaw?Apps such as BAT-BMS, Lossigy and Epoch i-ion could connect to certain unsecured battery systems because many low-cost battery manufacturers either left Bluetooth connections without passwords or relied on easily accessible factory-default credentials.Once connected, a user could simply disable battery discharge.The moment discharge is disabled, electrical power flowing from the battery to the motor stops.Although the battery itself remains physically intact, the vehicle immediately loses power and comes to a halt.Because the BMS, not the ignition key, has disconnected the battery, restarting the vehicle becomes impossible until someone reconnects to the battery and re-enables the discharge function.For drivers unfamiliar with the technology, the vehicle appears to have suffered a mysterious mechanical failure.That confusion has reportedly allowed some people to exploit stranded drivers by charging money simply to reconnect the battery through the same application.Not every electric vehicle is vulnerableOne misconception that quickly spread after the controversy was that any electric vehicle could now be remotely switched off.That is simply not true.The vulnerability exists only when several conditions are present simultaneously. The vehicle must use a Bluetooth-enabled lithium-ion battery, the BMS must permit wireless access, and adequate authentication or encryption must be absent.Many e-rickshaws in India still operate on lead-acid batteries, which do not include Bluetooth-enabled Battery Management Systems at all.Similarly, newer lithium-ion battery packs equipped with strong passwords, encrypted communication or manufacturer-specific software cannot typically be accessed through generic applications.Established manufacturers generally incorporate multiple cybersecurity layers separating the battery management system from the vehicle’s core electronic controls.These systems also use encrypted communication and proprietary software architectures, making unauthorised access significantly more difficult.The controversy therefore does not expose a weakness across every electric vehicle. Instead, it highlights the cybersecurity risks associated with low-cost connected devices that prioritise affordability over digital security.The human cost behind a “prank”For many, what appeared online as a prank has had real-world consequences.E-rickshaws are often the primary source of income for drivers and their families.One driver told IANS that his vehicle stopped working mid-journey and had to be pushed to a mechanic. He later learned the battery had been switched off digitally and paid around Rs 300 to restore it.In another case documented by social media influencer Amaan Siddiqui, a driver lost an entire day’s income after his vehicle remained disabled for hours.“He broke down and told me that he had lost an entire day’s earning,” Siddiqui said, as quoted by news agency ANI.For daily wage workers, even a few hours of downtime can mean missed rent payments or household expenses.When a cyber issue becomes a road safety riskThe problem extends well beyond financial losses.Imagine an e-rickshaw suddenly losing power while crossing a busy intersection, negotiating heavy traffic or carrying elderly passengers.Although most reported incidents have ended without major injuries, cybersecurity experts warn that remotely disabling vehicles in motion creates obvious road safety risks.The government appears to share those concerns.Alongside removing the applications from app stores, authorities have begun examining cybersecurity safeguards used in battery-powered vehicles.Officials are also assessing whether similar vulnerabilities may exist in other connected transport systems.Could this happen to electric cars too?The controversy has inevitably raised a bigger question.If an e-rickshaw can be remotely disabled, could hackers eventually target electric cars?At present, experts say the answer is not in the same way.Most passenger electric vehicles use significantly more sophisticated battery management systems with multiple layers of cybersecurity.Communication between battery systems and vehicle electronics is typically encrypted, authenticated and integrated into secure vehicle networks.Generic Bluetooth applications cannot simply connect to these systems.However, cybersecurity researchers caution against complacency.Chechatwala notes that modern connected devices increasingly depend on wireless communication technologies including Bluetooth, Wi-Fi and radio-frequency systems.Where security is poorly designed, attackers may attempt replay attacks, relay attacks or protocol manipulation using specialised equipment.”The lesson is that every connected device—whether it is an e-rickshaw battery, a drone, a smart appliance or a connected vehicle—must be designed with security built in from the beginning,” he said.”As more physical devices become digitally connected, the attack surface also grows.”The government has similarly indicated that its review extends beyond e-rickshaws to examine safety protocols across increasingly software-driven vehicles.Why cybersecurity experts aren’t surprisedThe vulnerabilities exposed in India’s e-rickshaw ecosystem reflect concerns that researchers have been raising for years.A recent peer-reviewed paper published in IEEE Access, titled Battery Management System: Threat Modelling, Vulnerability Analysis, and Cybersecurity Strategy, argues that as Battery Management Systems become more connected, they also become more attractive targets for cyberattacks.The study identifies numerous attack methods capable of disrupting battery systems, including malware injection, sensor manipulation, electromagnetic interference, jamming attacks and unauthorised wireless access.Researchers warn that successful attacks could trigger false alarms, disable safety mechanisms, interfere with battery operation or even create hazardous failures if adequate safeguards are absent.The paper recommends several protective measures that many cybersecurity specialists have long advocated, including encrypted communication, strong authentication, secure firmware updates, intrusion detection systems and hardware-based security features that prevent unauthorised access.Its broader conclusion is straightforward: battery cybersecurity can no longer be treated as an optional feature. As vehicles become increasingly connected, digital security becomes an essential part of physical safety.A national security concern, not just a software bugThe controversy has also opened a wider debate about India’s digital infrastructure.Thousands of low-cost lithium-ion batteries used across the country rely on imported electronic components and software supplied by overseas manufacturers.Many of these systems were designed primarily for affordability and ease of maintenance rather than cybersecurity.That raises uncomfortable questions.Who controls the software inside these batteries?Who audits their security?Could similar vulnerabilities exist in larger fleets of connected vehicles or critical infrastructure?The current incidents appear to involve local misuse of unsecured Bluetooth connections rather than remote foreign interference. There is no public evidence that the affected apps were designed for malicious purposes.Nevertheless, cybersecurity experts argue that the episode demonstrates how weak security in imported connected devices can create vulnerabilities that extend beyond individual consumers.As India rapidly expands its electric mobility ecosystem, ensuring that connected hardware meets minimum cybersecurity standards may become as important as meeting mechanical or electrical safety norms.More than an app problemThe BAT-BMS controversy is easy to dismiss as another viral internet prank.In reality, it exposes something far more significant.A software vulnerability capable of stopping a working person’s livelihood with a single tap is not merely a technological glitch. It highlights how digital systems increasingly control physical infrastructure that millions depend upon every day.Removing a handful of applications from app stores may reduce immediate misuse, but it does not automatically secure the vulnerable battery systems already operating on Indian roads.Ultimately, the lesson extends far beyond e-rickshaws.As vehicles, appliances and public infrastructure become smarter and more connected, cybersecurity is no longer just about protecting data. It is about protecting lives, livelihoods and public trust.PollVote & Share your viewDo you think the recent e-rickshaw battery incidents reflect broader cybersecurity issues in electric vehicles?Yes, definitelyNo, it’s an isolated case3k+ users shared opinion today 5k+ users already voted today 3k+ users shared opinion today Share OpinionThe real challenge is ensuring that the technologies powering India’s digital future are designed to be secure before they become indispensable.Get the latest India news and live updates. Download the TOI App.End of ArticleFollow Us On Social MediaVideosPM Modi’s Indonesia Visit : BrahMos, Astra Missiles, Critical Minerals And Big OutcomesUnpublished ARAI Study Flags E20 Compatibility Issues In Older VehiclesMumbai-Pune Expressway: 4 Reasons The New Corridor Failed Its First Monsoon TestRam Temple Row Escalates As Akhilesh Yadav Warns Nishikant Dubey Of FIR Over Social Media PostIndian Diplomat Protests Incorrect Map Depicting J&K As Part Of Pakistan At Dhaka SeminarOwaisi Says Amit Shah ‘Doesn’t Do Things Casually’, Claims Meeting Points to NRC RolloutRam Mandir Trust Meeting: Champat Rai’s Resignation Accepted, Donated Items Put On DisplayPM Modi Praises BJP Chief Nitin Nabin After Kejriwal’s ‘Who Are You’ Remark | WatchBaruipur Rape Horror: Mamata Leads Protest, CM Suvendu Vows to Ensure Death PenaltyRam Mandir Trust Chief Demands Strict Action As Donation Probe Intensifies Further123Photostories7 grasslands and plateaus in Maharashtra that become magical during monsoonPsychology explains reasons behind some faces that seem more attractive than othersAncient hair oil remedies to prevent grey hair: 5 nourishing mixtures worth tryingMost expensive houses in India: Inside the country’s costliest residential propertiesWhy people don’t intervene during emergencies: The psychology of the bystander effect“I’m great at my job but neglect my personal life”: Why this creator’s video is striking a chord with many working women in their 30sRush over discounted Pointed Gourd (Parwal) in New Jersey: 8 traditional desi ways to enjoy it during summer season5 simple ways to make meditation a daily habitNational parks you can visit using Vande Bharat trains without taking a flight: India’s best wildlife getaways by railFrom a lush garden to vibrant interiors: Inside Anupamaa fame Rupali Ganguly’s nature-inspired Mumbai home123Hot PicksArgentina vs EgyptPM Modi Indonesia VisitWayanad LandslideSuryakumar yadavMumbai school holidayShapoor ZadranErling HaalandMumbai schools holidayMumbai-Pune expresswayTop TrendingIran-US WarMumbai FloodsBengal Rape CaseFIFA World Cup 2026CBSE Class 10 ResultRam temple donationMumbai rainStock Market TodayMumbai Rain DeathKCET mock seat allotment


India’s E-Rickshaw Boom And The Hidden BAT-BMS Safety Risk

Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws

One morning in Delhi, an e-rickshaw driver suddenly found his vehicle stranded in the middle of a busy road. There was no warning light, no smoke, no mechanical failure. The vehicle had simply stopped moving.Assuming it was a technical fault, he pushed it to a nearby mechanic. What followed surprised him. The mechanic opened a mobile application, tapped a few buttons, and the rickshaw came back to life within minutes.But the relief did not last.According to the driver’s account shared with news agency IANS, the same issue happened again while he was carrying passengers. Each time, the vehicle stopped without warning, and each time he lost earnings and had to pay to get it restarted.What initially looked like an isolated malfunction has now grown into a nationwide cybersecurity concern involving electric mobility, public safety, and digital security gaps in everyday transport.Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws.Following these reports, the ministry of electronics and information technology (MeitY) directed Google and Apple to remove several battery management applications, including BAT-BMS, Lossigy and Epoch i-ion, while reviewing their cybersecurity risks.At first glance, it appears to be a rogue app problem. But experts say the real issue runs deeper: insecure battery systems inside thousands of low-cost electric vehicles.

Why did the government step in?

The controversy escalated after videos showed people scanning nearby e-rickshaws and switching off their batteries mid-ride using Bluetooth-based apps.Drivers were often left stranded without understanding what had happened. In many cases, they assumed a mechanical fault and paid mechanics to restart the vehicle, only to later learn that the battery had been digitally switched off.Following these incidents, MeitY ordered app removals and began investigating cybersecurity implications.The Delhi transport department has also launched a probe, while police in cities like Ujjain have registered cases where miscreants allegedly disabled vehicles and demanded money to restore them.Officials have clarified that the concern is not limited to one app, but whether connected vehicle systems can be exploited in the first place.

BAT-BMS isn’t really the problem

Cybersecurity experts caution against focusing only on the app.The BAT-BMS application was originally developed by Shenzhen Grenergy Technology for monitoring lithium-ion batteries. It allows users to track voltage, temperature, current flow, charging cycles and battery health. It also includes maintenance features such as enabling or disabling battery discharge.The controversy arises when such controls become accessible to unauthorised users.Certified ethical hacker Abdultaiyeb Chechatwala told TOI that the issue lies in the system design, not the app itself.“The problem is not the name of the app. It is the logic behind how the Battery Management System accepts commands,” he said.According to Chechatwala, several low-cost battery manufacturers use generic software supplied by third-party vendors that lacks robust encryption and authentication. If the BMS accepts commands from any nearby device without verifying identity, almost any compatible application could potentially communicate with it.He says manufacturers should have implemented encryption, secure key exchange and proper authentication so that only authorised users could access battery controls.“Without these safeguards, anyone within communication range who understands the protocol may attempt to interact with the system,” he said.This means removing one app does not eliminate the vulnerability.

What exactly is a Battery Management System?

Every lithium-ion battery pack contains an electronic controller known as a Battery Management System, or BMS.Although largely invisible to users, it performs one of the most critical roles inside an electric vehicle. It constantly monitors battery voltage, temperature, charging speed, cell balance and overall health. If unsafe conditions develop, the system can disconnect the battery to prevent overheating, overcharging or permanent damage.

What does a Battery Management System (BMS) actually do

Without a Battery Management System, modern lithium-ion batteries would be significantly less reliable and considerably less safe.Many manufacturers also enable Bluetooth connectivity so technicians—or sometimes vehicle owners—can monitor battery performance through a smartphone application instead of using specialised equipment.That convenience, however, introduces a new cybersecurity challenge.If the wireless connection lacks proper password protection, encryption or secure authentication, almost anyone standing nearby may be able to communicate with the battery.In vulnerable systems, that communication extends beyond simply viewing battery information.It may also include maintenance functions such as enabling or disabling battery discharge—the very feature now at the centre of the controversy.

How can an e-rickshaw be switched off remotely?

Contrary to viral claims online, nobody is “hacking” an e-rickshaw from kilometres away.The attacks reported so far rely on Bluetooth, meaning the person attempting to access the battery must remain physically close to the vehicle—typically within about 10 to 20 metres.

How an unsecured e-rickshaw battery can be switched off

The process is relatively straightforward on unsecured systems.When an e-rickshaw fitted with a vulnerable Bluetooth-enabled battery comes within range, the application scans for nearby Battery Management Systems.If the battery does not require authentication—or continues to use factory-default credentials—the application can establish a connection.Once connected, the user can access maintenance controls built into the BMS itself.One such maintenance function is controlling the battery’s discharge — essentially deciding whether the battery should supply power to the vehicle.That feature exists for legitimate servicing purposes.The problem begins when the same function becomes accessible to anyone nearby.

How does an app stop an e-rickshaw?

Apps such as BAT-BMS, Lossigy and Epoch i-ion could connect to certain unsecured battery systems because many low-cost battery manufacturers either left Bluetooth connections without passwords or relied on easily accessible factory-default credentials.Once connected, a user could simply disable battery discharge.The moment discharge is disabled, electrical power flowing from the battery to the motor stops.Although the battery itself remains physically intact, the vehicle immediately loses power and comes to a halt.Because the BMS, not the ignition key, has disconnected the battery, restarting the vehicle becomes impossible until someone reconnects to the battery and re-enables the discharge function.For drivers unfamiliar with the technology, the vehicle appears to have suffered a mysterious mechanical failure.That confusion has reportedly allowed some people to exploit stranded drivers by charging money simply to reconnect the battery through the same application.

Not every electric vehicle is vulnerable

One misconception that quickly spread after the controversy was that any electric vehicle could now be remotely switched off.That is simply not true.

Myth vs fact

The vulnerability exists only when several conditions are present simultaneously. The vehicle must use a Bluetooth-enabled lithium-ion battery, the BMS must permit wireless access, and adequate authentication or encryption must be absent.Many e-rickshaws in India still operate on lead-acid batteries, which do not include Bluetooth-enabled Battery Management Systems at all.Similarly, newer lithium-ion battery packs equipped with strong passwords, encrypted communication or manufacturer-specific software cannot typically be accessed through generic applications.Established manufacturers generally incorporate multiple cybersecurity layers separating the battery management system from the vehicle’s core electronic controls.

Which vehicles are more vulnerable

These systems also use encrypted communication and proprietary software architectures, making unauthorised access significantly more difficult.The controversy therefore does not expose a weakness across every electric vehicle. Instead, it highlights the cybersecurity risks associated with low-cost connected devices that prioritise affordability over digital security.

The human cost behind a “prank”

For many, what appeared online as a prank has had real-world consequences.E-rickshaws are often the primary source of income for drivers and their families.

One tap. Real consequences

One driver told IANS that his vehicle stopped working mid-journey and had to be pushed to a mechanic. He later learned the battery had been switched off digitally and paid around Rs 300 to restore it.In another case documented by social media influencer Amaan Siddiqui, a driver lost an entire day’s income after his vehicle remained disabled for hours.“He broke down and told me that he had lost an entire day’s earning,” Siddiqui said, as quoted by news agency ANI.For daily wage workers, even a few hours of downtime can mean missed rent payments or household expenses.

When a cyber issue becomes a road safety risk

The problem extends well beyond financial losses.Imagine an e-rickshaw suddenly losing power while crossing a busy intersection, negotiating heavy traffic or carrying elderly passengers.Although most reported incidents have ended without major injuries, cybersecurity experts warn that remotely disabling vehicles in motion creates obvious road safety risks.The government appears to share those concerns.Alongside removing the applications from app stores, authorities have begun examining cybersecurity safeguards used in battery-powered vehicles.Officials are also assessing whether similar vulnerabilities may exist in other connected transport systems.

Could this happen to electric cars too?

The controversy has inevitably raised a bigger question.If an e-rickshaw can be remotely disabled, could hackers eventually target electric cars?At present, experts say the answer is not in the same way.Most passenger electric vehicles use significantly more sophisticated battery management systems with multiple layers of cybersecurity.Communication between battery systems and vehicle electronics is typically encrypted, authenticated and integrated into secure vehicle networks.Generic Bluetooth applications cannot simply connect to these systems.However, cybersecurity researchers caution against complacency.Chechatwala notes that modern connected devices increasingly depend on wireless communication technologies including Bluetooth, Wi-Fi and radio-frequency systems.Where security is poorly designed, attackers may attempt replay attacks, relay attacks or protocol manipulation using specialised equipment.“The lesson is that every connected device—whether it is an e-rickshaw battery, a drone, a smart appliance or a connected vehicle—must be designed with security built in from the beginning,” he said.“As more physical devices become digitally connected, the attack surface also grows.”The government has similarly indicated that its review extends beyond e-rickshaws to examine safety protocols across increasingly software-driven vehicles.

Why cybersecurity experts aren’t surprised

The vulnerabilities exposed in India’s e-rickshaw ecosystem reflect concerns that researchers have been raising for years.A recent peer-reviewed paper published in IEEE Access, titled Battery Management System: Threat Modelling, Vulnerability Analysis, and Cybersecurity Strategy, argues that as Battery Management Systems become more connected, they also become more attractive targets for cyberattacks.

Weak BMS security can lead to

The study identifies numerous attack methods capable of disrupting battery systems, including malware injection, sensor manipulation, electromagnetic interference, jamming attacks and unauthorised wireless access.Researchers warn that successful attacks could trigger false alarms, disable safety mechanisms, interfere with battery operation or even create hazardous failures if adequate safeguards are absent.The paper recommends several protective measures that many cybersecurity specialists have long advocated, including encrypted communication, strong authentication, secure firmware updates, intrusion detection systems and hardware-based security features that prevent unauthorised access.Its broader conclusion is straightforward: battery cybersecurity can no longer be treated as an optional feature. As vehicles become increasingly connected, digital security becomes an essential part of physical safety.

A national security concern, not just a software bug

The controversy has also opened a wider debate about India’s digital infrastructure.Thousands of low-cost lithium-ion batteries used across the country rely on imported electronic components and software supplied by overseas manufacturers.Many of these systems were designed primarily for affordability and ease of maintenance rather than cybersecurity.That raises uncomfortable questions.Who controls the software inside these batteries?Who audits their security?Could similar vulnerabilities exist in larger fleets of connected vehicles or critical infrastructure?The current incidents appear to involve local misuse of unsecured Bluetooth connections rather than remote foreign interference. There is no public evidence that the affected apps were designed for malicious purposes.Nevertheless, cybersecurity experts argue that the episode demonstrates how weak security in imported connected devices can create vulnerabilities that extend beyond individual consumers.As India rapidly expands its electric mobility ecosystem, ensuring that connected hardware meets minimum cybersecurity standards may become as important as meeting mechanical or electrical safety norms.

The bigger lesson

More than an app problem

The BAT-BMS controversy is easy to dismiss as another viral internet prank.In reality, it exposes something far more significant.A software vulnerability capable of stopping a working person’s livelihood with a single tap is not merely a technological glitch. It highlights how digital systems increasingly control physical infrastructure that millions depend upon every day.Removing a handful of applications from app stores may reduce immediate misuse, but it does not automatically secure the vulnerable battery systems already operating on Indian roads.Ultimately, the lesson extends far beyond e-rickshaws.As vehicles, appliances and public infrastructure become smarter and more connected, cybersecurity is no longer just about protecting data. It is about protecting lives, livelihoods and public trust.

Do you think the recent e-rickshaw battery incidents reflect broader cybersecurity issues in electric vehicles?

3k+ users shared opinion today

5k+ users already voted today

3k+ users shared opinion today

Share Opinion

The real challenge is ensuring that the technologies powering India’s digital future are designed to be secure before they become indispensable.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *