Govt probing BAT-BMS app, hacking E-rickshaw could entail 3 yrs jail, Rs 5 lakh fine | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Earlier this week, a video went viral on social media. The clip showed how you could easily connect to a 3-wheeler or e-rickshaw, as some call it, with your phone, and then shut it down in the middle of the road. Soon, dozens of videos surfaced online of people allegedly using this “hack” to shut down 3-wheelers around them. All of this can happen via apps like BAT-BMS and Epoch Li-ion, that give you the ability to connect to certain 3-wheelers via Bluetooth, and get remote access. But using such an app can land you into trouble.

Pavan Duggal, a cyberlaw expert and chairman of the International Commission on Cyber Security Law, Pavan Duggal says that trying to connect or shut down an e-rickshaw with such an app is a legal offense. He told ANI, “I am very clear this is not a game, this is an offense under section 66 read with section 43 of the Information Technology Act 2000 because this is an activity that’s done dishonestly or fraudulently where people enter into the computer system of its e-rickshaw without the consent or the knowledge of the owner.”

If you try to use BAT-BMS or a similar app to hack into someone’s vehicle, you can land up in jail. Duggal added, “This is punishable with 3 years imprisonment and a fine worth Rs 5 lakh.”

The hack may seem funny to those who are using it to disable e-rickshaws, but it can be dangerous. A vehicle, when stopped in the middle of the road, can be a danger not just to its occupants but even other vehicles around it. On top of that, this also hampers the livelihood of e-rickshaw drivers who are likely trying to make a living by carrying passengers.

The situation around BAT-BMS has reached to a point that people have started writing letters to IT Minister Ashvini Vaishnav. National Secretary of BJP’s youth wing, Tajinder Bagga, shared his letter to Vaishnav on X. He wrote, “My letter to Union IT Minister Ashwini Vaishnaw ji seeking an immediate ban on the BAT-BMS app, which is being misused to remotely disable e-rickshaws and electric vehicles via Bluetooth.”

A screenshot of Tajinder Bagga’s post regarding the letter.

The Ministry of Electronics and Information Technology (MeitY) has taken action already. BAT-BMS, Epoch Li-ion, and Lossigy have been removed from the Google Playstore and the Apple Appstore, with plans to block any other app that may also be misused in a similar way. MeitY is probing both apps, with plans to fix vulnerabilities that allowed users to hack into 3-wheelers in the first place. But how did this actually happen to begin with?

Bluetooth hack that shutdown E-rickshaws

Apps like BAT-BMS are designed for genuine purpose. BAT-BMS in particular was developed by Chinese company Shenzhen Grenergy Technology as a Battery Management System (BMS) monitoring app. The app allows you to keep track of Bluetooth-enabled lithium batteries – the kind of batteries you find on some e-rickshaws and two-wheelers in India.

BAT-BMS can display information such as battery charge, voltage, current, temperature, cycle life and the health of individual battery cells. What the app also lets you do is control charging and discharging functions on compatible batteries via Bluetooth. And this is where the viral hack comes into play.

You see, some Indian e-rickshaws, or even two wheelers, come with Chinese-sourced Bluetooth-enabled BMS units that have little or no password protection. It is likely that many e-rickshaw owners, either did not add password protection, or were not aware that such a system existed in the first place.

If such a battery is unsecured, anyone standing within Bluetooth range, usually roughly 10 to 15 metres, may be able to connect to it and turn off the battery’s discharge function. Since the discharge function supplies power to the motor, disabling it can immediately stop the vehicle. And this is exactly how someone can shut an e-rickshaw in the middle of the road.

What makes this particularly more dangerous is that anyone can control an e-rickshaw without having any knowledge of hacking. Mandar Patil, executive vice president at Cyble, tells India Today Tech, “To perform this operation you do not need to perform any type of hacking, there is no requirement for malware. And you do not require access to the internet.”

What this means for EVs in India

While the government is examining how it can fix this vulnerability, those who do drive e-rickshaws with such a BMS need to follow some precautions. Anirban Mukherji, founder and CEO of cybersecurity firm miniOrange tells India Today Tech, “Drivers should keep Bluetooth disabled when it is not required, use only authorised service applications, install firmware updates provided by the manufacturer, and report any unusual vehicle behaviour immediately.” He adds, “Manufacturers also have a critical responsibility to implement secure authentication and encrypted communication to minimise these risks.”

That is not to say that every e-rickshaw is at risk. Many still run on traditional lead-acid batteries, which do not support Bluetooth connectivity. Some manufacturers also use proprietary battery management systems that require their own dedicated apps rather than BAT-BMS. In such vehicles, you likely cannot use a universal app to get control of its battery.

However, Bharat Krishna Rao, co-founder and CEO of EV startup Emobi says that other types of vehicles may also be vulnerable to similar cases if things don’t change. “As EVs become increasingly software-driven, similar vulnerabilities can emerge across two-wheelers, passenger vehicles, and commercial fleets whenever Bluetooth, telematics, or remote battery controls are involved,” he tells India Today Tech.

Krishna Rao reckons that authorities should have stricter mechanisms to evaluate such technology. He explains, “Authorities should instruct transparent disclosures, cybersecurity testing, secure defaults and clear grievance mechanisms.”

Since the entire ordeal stems from batteries used in vehicles by manufacturers, Mandar Patil believes this may be a wake up call for the industry. He adds, “If electric vehicle manufacturers do not begin to take a more secure design approach we will continue to see these types of attacks evolve as attacker capability continues to increase.” Patil says that if the right steps are not taken now then India’s “e-highways may become a target for hijackers.”

– Ends

Published By:

Armaan Agarwal

Published On:

Jul 3, 2026 15:38 IST



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW