The Cybersecurity Blind Spot in India’s EV Transition | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Recent viral videos from India show people using a mobile phone app to shut down e-rickshaws in everyday traffic. At first glance, the videos seemed almost staged. A person would open an app, connect to a nearby battery-management system over Bluetooth, and then disable the battery. More alarming was how little it required: proximity, Bluetooth access, and a consumer app.

Reports later confirmed that the videos were real. Certain battery-management apps could reportedly switch off an e-rickshaw’s battery, leaving the vehicle immobilised until it was restarted through the same app.

The incident should not be treated merely as a prank or even as an app-store moderation problem. It warrants closer attention because it reveals the cybersecurity and safety risks emerging within India’s rapidly expanding electric mobility ecosystem.

The incident should not be treated merely as a prank or even as an app-store moderation problem. It warrants closer attention because it reveals the cybersecurity and safety risks emerging within India’s rapidly expanding electric mobility ecosystem.

The Battery-Security Vulnerability

The app at the centre of the controversy is BAT-BMS. Its Play Store description says that the app allows users to connect wirelessly to Bluetooth-enabled batteries, monitor battery status, track cycle life, and view details such as charge level, voltage, current, cell voltage, and temperature. The listing also states that the app uses Bluetooth Low Energy and operates within a range of up to 15 metres. None of this is inherently problematic. Such features can be useful for owners, mechanics, fleet operators, and manufacturers.

The problem is that some battery-management configurations appear to expose control functions without adequate authentication. As a result, the app could reportedly be used to remotely disable the discharge function of batteries that are used in e-rickshaws. While BAT-BMS has received the most attention, other apps, such as Epoch Li-ion, can reportedly be used to shut down batteries. This suggests that the vulnerability extends beyond a single app to the battery-management systems themselves.

From Viral Prank to Public-Safety Risk

The shutdowns were not limited to one or two isolated videos. Reports described e-rickshaw drivers suddenly finding their vehicles dead in the middle of traffic, without any obvious mechanical fault. In some cases, the act was filmed and shared online as entertainment. Reports also suggest that similar interference may have affected an electric scooter. If verified, this would suggest that the vulnerability may extend beyond e-rickshaws and that a wider class of connected mobility components may have entered the market without adequate security safeguards.

The trend of shutting down batteries appears to have started as a form of “vigilantism”, with some individuals claiming that e-rickshaws were flouting traffic rules and creating disorder on the roads.

Using the app to disable e-rickshaws became their mode of ‘justice’, and it then expanded into a social media stunt, with people filming shutdowns to gain views and followers. There are also indications that similar vulnerabilities can be used for local extortion, with miscreants allegedly locking vehicles and then charging drivers to restart or unlock them.

For commuters or people watching these videos online, this may look like a strange internet trend. For drivers, it can mean lost income, repair costs, humiliation, and physical risk. Even a payment of INR 300 to unlock a battery can be significant for an e-rickshaw driver working on thin daily margins.

More importantly, stopping an e-rickshaw in the middle of traffic can put the driver, passengers, and other road users at risk. This is the very danger the vigilantes claimed they were trying to address.

Cyber Risk as Social Risk

E-rickshaws are often criticised in Indian cities. They are seen as disorderly, poorly regulated, and a contributor to congestion. These concerns are valid, but they should not obscure the important role e-rickshaws play in urban mobility.

Across Indian cities, e-rickshaws provide essential last-mile connectivity, linking people to metro stations, markets, residential colonies, bus stops, and workplaces. They remain affordable for commuters, support livelihoods for thousands of drivers, and are less polluting than many conventional transport options. A 2019 report suggested that over 60 million people use e-rickshaws every day.

According to WRI India, the Government of India’s Vahan dashboard recorded over 18.1 lakh registered e-rickshaws across the country as of November 2024. This scale matters. Insecure battery systems are no longer a niche technical issue; they affect public safety and livelihoods across India’s EV ecosystem.

There is also a class dimension to this debate.  E-rickshaws are used largely by people who depend on affordable public or shared transport. Their drivers often come from lower-income backgrounds and work with limited financial security. Treating them as easy targets for vigilantism reflects a wider disregard for the mobility and livelihoods of poorer urban residents.

The costs of insecure design are often borne by those least able to absorb them. In this case, the immediate burden of a weak battery management system fell not on manufacturers or app developers, but on e-rickshaw drivers who lost income, time, and mobility.

Beyond App Bans: The Real Security Problem

The Indian government’s response was swift. The Centre has directed the removal of multiple battery-management apps from app stores, including BAT-BMS and Epoch Li-ion. The Ministry of Electronics and Information Technology (MeitY) Secretary, S. Krishnan, further noted that the government would take up the issue with app stores to help prevent potentially harmful applications from becoming available to the public. As an emergency containment measure, this was understandable. Once such misuse goes viral, app takedowns can reduce immediate harm.

App removal, however, is not a structural fix. It addresses the immediate misuse rather than the underlying vulnerability. It is an emergency response to a deeper systemic problem. If a battery-management system accepts unauthorised Bluetooth commands, removing one app will not solve the problem. The same functionality can easily be replicated as long as the battery hardware and firmware remain vulnerable. The barrier to developing similar applications is low, especially where the underlying device accepts unauthorised commands.

Device-level security, therefore, matters more than app-level suppression. If a battery management system accepts unauthorised commands from a stranger, the problem cannot be limited to the app alone. Responsibility extends beyond the app to BMS suppliers, battery makers, vehicle assemblers, importers, and app stores. Without a clearer chain of responsibility, these incidents will continue to be framed as app-level issues, rather than as broader failures in system design and governance.

For safety-relevant connected components, cybersecurity can no longer be treated as an afterthought. It must become part of product approval, standards, and post-sale accountability. A remotely controlled battery is a digital system embedded inside a vehicle. If left insecure, it can threaten livelihoods, road safety, and trust in electric mobility. This is especially important as Indian cities accelerate EV adoption through incentives and policy support.

EV policy must go beyond subsidies and infrastructure to ensure components are safe and secure.

A Wider Warning

More broadly, the BAT-BMS incident may appear small, but it carries a larger warning. Cyber vulnerabilities can emerge in a wide range of connected devices, including e-rickshaws, scooters, chargers, home appliances, medical devices, and industrial equipment. As everyday devices become connected, cybersecurity moves beyond phones, computers, and databases to encompass physical safety and daily livelihoods.

The lesson is not to reject smart batteries or connected devices, but to ensure that they are secure and safe by design. After all, a device should not become ‘smart’ at the cost of becoming unsafe.

While the vulnerability surfaced in batteries this time, it could emerge tomorrow in another device, vehicle, or piece of equipment. The episode should draw attention to the risks across digital ecosystems, where cybersecurity is too often overlooked as a core design requirement. There may also be a cost-cutting dimension. In low-cost electric vehicles and aftermarket battery systems, security protections may be poorly assessed, treated as optional, or ignored to keep prices down.

The lesson is not to reject smart batteries or connected devices, but to ensure that they are secure and safe by design. After all, a device should not become ‘smart’ at the cost of becoming unsafe

What Next?

The BAT-BMS episode offers three lessons for India’s connected-device governance. First, digital vigilantism cannot become a substitute for public regulation. If e-rickshaws violate traffic rules, the answer is better enforcement, not private individuals remotely disabling vehicles on the road. Such acts should be treated as interference with mobility and public safety, not as harmless online pranks.

India’s EV transition will depend not only on how quickly vehicles are electrified, but also on whether the digital systems inside them are secure enough to be trusted.

Second, India needs minimum cybersecurity requirements for connected mobility components. App-store takedowns may reduce immediate harm, but they must be paired with device-level remediation. Manufacturers, importers, and battery suppliers should be encouraged — or, where necessary, required — to identify affected BMS models, issue firmware fixes where possible, and provide guidance to drivers and fleet operators.

Third, India needs a broader review of its low-cost connected-device ecosystem. Batteries, chargers, smart meters, appliances, medical devices, and industrial sensors are entering homes, roads, workplaces, and public infrastructure at an unprecedented pace. Policymakers, manufacturers, app stores, standards bodies, and regulators should identify similar vulnerabilities before they are exploited at scale.

India’s EV transition will depend not only on how quickly vehicles are electrified, but also on whether the digital systems inside them are secure enough to be trusted. 


Basu Chandola is an Associate Fellow at the Observer Research Foundation.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW