One morning in Delhi, an e-rickshaw driver suddenly found his vehicle stranded in the middle of a busy road. There was no warning light, no smoke, no mechanical failure. The vehicle had simply stopped moving.Assuming it was a technical fault, he pushed it to a nearby mechanic. What followed surprised him. The mechanic opened a mobile application, tapped a few buttons, and the rickshaw came back to life within minutes.But the relief did not last.According to the driver’s account shared with news agency IANS, the same issue happened again while he was carrying passengers. Each time, the vehicle stopped without warning, and each time he lost earnings and had to pay to get it restarted.What initially looked like an isolated malfunction has now grown into a nationwide cybersecurity concern involving electric mobility, public safety, and digital security gaps in everyday transport.Viral videos circulating on social media show individuals using smartphone apps to remotely disable moving e-rickshaws.Following these reports, the ministry of electronics and information technology (MeitY) directed Google and Apple to remove several battery management applications, including BAT-BMS, Lossigy and Epoch i-ion, while reviewing their cybersecurity risks.At first glance, it appears to be a rogue app problem. But experts say the real issue runs deeper: insecure battery systems inside thousands of low-cost electric vehicles.
Why did the government step in?
The controversy escalated after videos showed people scanning nearby e-rickshaws and switching off their batteries mid-ride using Bluetooth-based apps.Drivers were often left stranded without understanding what had happened. In many cases, they assumed a mechanical fault and paid mechanics to restart the vehicle, only to later learn that the battery had been digitally switched off.Following these incidents, MeitY ordered app removals and began investigating cybersecurity implications.The Delhi transport department has also launched a probe, while police in cities like Ujjain have registered cases where miscreants allegedly disabled vehicles and demanded money to restore them.Officials have clarified that the concern is not limited to one app, but whether connected vehicle systems can be exploited in the first place.
BAT-BMS isn’t really the problem
Cybersecurity experts caution against focusing only on the app.The BAT-BMS application was originally developed by Shenzhen Grenergy Technology for monitoring lithium-ion batteries. It allows users to track voltage, temperature, current flow, charging cycles and battery health. It also includes maintenance features such as enabling or disabling battery discharge.The controversy arises when such controls become accessible to unauthorised users.Certified ethical hacker Abdultaiyeb Chechatwala told TOI that the issue lies in the system design, not the app itself.“The problem is not the name of the app. It is the logic behind how the Battery Management System accepts commands,” he said.According to Chechatwala, several low-cost battery manufacturers use generic software supplied by third-party vendors that lacks robust encryption and authentication. If the BMS accepts commands from any nearby device without verifying identity, almost any compatible application could potentially communicate with it.He says manufacturers should have implemented encryption, secure key exchange and proper authentication so that only authorised users could access battery controls.“Without these safeguards, anyone within communication range who understands the protocol may attempt to interact with the system,” he said.This means removing one app does not eliminate the vulnerability.
What exactly is a Battery Management System?
Every lithium-ion battery pack contains an electronic controller known as a Battery Management System, or BMS.Although largely invisible to users, it performs one of the most critical roles inside an electric vehicle. It constantly monitors battery voltage, temperature, charging speed, cell balance and overall health. If unsafe conditions develop, the system can disconnect the battery to prevent overheating, overcharging or permanent damage.

Without a Battery Management System, modern lithium-ion batteries would be significantly less reliable and considerably less safe.Many manufacturers also enable Bluetooth connectivity so technicians—or sometimes vehicle owners—can monitor battery performance through a smartphone application instead of using specialised equipment.That convenience, however, introduces a new cybersecurity challenge.If the wireless connection lacks proper password protection, encryption or secure authentication, almost anyone standing nearby may be able to communicate with the battery.In vulnerable systems, that communication extends beyond simply viewing battery information.It may also include maintenance functions such as enabling or disabling battery discharge—the very feature now at the centre of the controversy.
How can an e-rickshaw be switched off remotely?
Contrary to viral claims online, nobody is “hacking” an e-rickshaw from kilometres away.The attacks reported so far rely on Bluetooth, meaning the person attempting to access the battery must remain physically close to the vehicle—typically within about 10 to 20 metres.

The process is relatively straightforward on unsecured systems.When an e-rickshaw fitted with a vulnerable Bluetooth-enabled battery comes within range, the application scans for nearby Battery Management Systems.If the battery does not require authentication—or continues to use factory-default credentials—the application can establish a connection.Once connected, the user can access maintenance controls built into the BMS itself.One such maintenance function is controlling the battery’s discharge — essentially deciding whether the battery should supply power to the vehicle.That feature exists for legitimate servicing purposes.The problem begins when the same function becomes accessible to anyone nearby.
How does an app stop an e-rickshaw?
Apps such as BAT-BMS, Lossigy and Epoch i-ion could connect to certain unsecured battery systems because many low-cost battery manufacturers either left Bluetooth connections without passwords or relied on easily accessible factory-default credentials.Once connected, a user could simply disable battery discharge.The moment discharge is disabled, electrical power flowing from the battery to the motor stops.Although the battery itself remains physically intact, the vehicle immediately loses power and comes to a halt.Because the BMS, not the ignition key, has disconnected the battery, restarting the vehicle becomes impossible until someone reconnects to the battery and re-enables the discharge function.For drivers unfamiliar with the technology, the vehicle appears to have suffered a mysterious mechanical failure.That confusion has reportedly allowed some people to exploit stranded drivers by charging money simply to reconnect the battery through the same application.
Not every electric vehicle is vulnerable
One misconception that quickly spread after the controversy was that any electric vehicle could now be remotely switched off.That is simply not true.

The vulnerability exists only when several conditions are present simultaneously. The vehicle must use a Bluetooth-enabled lithium-ion battery, the BMS must permit wireless access, and adequate authentication or encryption must be absent.Many e-rickshaws in India still operate on lead-acid batteries, which do not include Bluetooth-enabled Battery Management Systems at all.Similarly, newer lithium-ion battery packs equipped with strong passwords, encrypted communication or manufacturer-specific software cannot typically be accessed through generic applications.Established manufacturers generally incorporate multiple cybersecurity layers separating the battery management system from the vehicle’s core electronic controls.

These systems also use encrypted communication and proprietary software architectures, making unauthorised access significantly more difficult.The controversy therefore does not expose a weakness across every electric vehicle. Instead, it highlights the cybersecurity risks associated with low-cost connected devices that prioritise affordability over digital security.
The human cost behind a “prank”
For many, what appeared online as a prank has had real-world consequences.E-rickshaws are often the primary source of income for drivers and their families.

One driver told IANS that his vehicle stopped working mid-journey and had to be pushed to a mechanic. He later learned the battery had been switched off digitally and paid around Rs 300 to restore it.In another case documented by social media influencer Amaan Siddiqui, a driver lost an entire day’s income after his vehicle remained disabled for hours.“He broke down and told me that he had lost an entire day’s earning,” Siddiqui said, as quoted by news agency ANI.For daily wage workers, even a few hours of downtime can mean missed rent payments or household expenses.
When a cyber issue becomes a road safety risk
The problem extends well beyond financial losses.Imagine an e-rickshaw suddenly losing power while crossing a busy intersection, negotiating heavy traffic or carrying elderly passengers.Although most reported incidents have ended without major injuries, cybersecurity experts warn that remotely disabling vehicles in motion creates obvious road safety risks.The government appears to share those concerns.Alongside removing the applications from app stores, authorities have begun examining cybersecurity safeguards used in battery-powered vehicles.Officials are also assessing whether similar vulnerabilities may exist in other connected transport systems.
Could this happen to electric cars too?
The controversy has inevitably raised a bigger question.If an e-rickshaw can be remotely disabled, could hackers eventually target electric cars?At present, experts say the answer is not in the same way.Most passenger electric vehicles use significantly more sophisticated battery management systems with multiple layers of cybersecurity.Communication between battery systems and vehicle electronics is typically encrypted, authenticated and integrated into secure vehicle networks.Generic Bluetooth applications cannot simply connect to these systems.However, cybersecurity researchers caution against complacency.Chechatwala notes that modern connected devices increasingly depend on wireless communication technologies including Bluetooth, Wi-Fi and radio-frequency systems.Where security is poorly designed, attackers may attempt replay attacks, relay attacks or protocol manipulation using specialised equipment.“The lesson is that every connected device—whether it is an e-rickshaw battery, a drone, a smart appliance or a connected vehicle—must be designed with security built in from the beginning,” he said.“As more physical devices become digitally connected, the attack surface also grows.”The government has similarly indicated that its review extends beyond e-rickshaws to examine safety protocols across increasingly software-driven vehicles.
Why cybersecurity experts aren’t surprised
The vulnerabilities exposed in India’s e-rickshaw ecosystem reflect concerns that researchers have been raising for years.A recent peer-reviewed paper published in IEEE Access, titled Battery Management System: Threat Modelling, Vulnerability Analysis, and Cybersecurity Strategy, argues that as Battery Management Systems become more connected, they also become more attractive targets for cyberattacks.

The study identifies numerous attack methods capable of disrupting battery systems, including malware injection, sensor manipulation, electromagnetic interference, jamming attacks and unauthorised wireless access.Researchers warn that successful attacks could trigger false alarms, disable safety mechanisms, interfere with battery operation or even create hazardous failures if adequate safeguards are absent.The paper recommends several protective measures that many cybersecurity specialists have long advocated, including encrypted communication, strong authentication, secure firmware updates, intrusion detection systems and hardware-based security features that prevent unauthorised access.Its broader conclusion is straightforward: battery cybersecurity can no longer be treated as an optional feature. As vehicles become increasingly connected, digital security becomes an essential part of physical safety.
A national security concern, not just a software bug
The controversy has also opened a wider debate about India’s digital infrastructure.Thousands of low-cost lithium-ion batteries used across the country rely on imported electronic components and software supplied by overseas manufacturers.Many of these systems were designed primarily for affordability and ease of maintenance rather than cybersecurity.That raises uncomfortable questions.Who controls the software inside these batteries?Who audits their security?Could similar vulnerabilities exist in larger fleets of connected vehicles or critical infrastructure?The current incidents appear to involve local misuse of unsecured Bluetooth connections rather than remote foreign interference. There is no public evidence that the affected apps were designed for malicious purposes.Nevertheless, cybersecurity experts argue that the episode demonstrates how weak security in imported connected devices can create vulnerabilities that extend beyond individual consumers.As India rapidly expands its electric mobility ecosystem, ensuring that connected hardware meets minimum cybersecurity standards may become as important as meeting mechanical or electrical safety norms.

More than an app problem
The BAT-BMS controversy is easy to dismiss as another viral internet prank.In reality, it exposes something far more significant.A software vulnerability capable of stopping a working person’s livelihood with a single tap is not merely a technological glitch. It highlights how digital systems increasingly control physical infrastructure that millions depend upon every day.Removing a handful of applications from app stores may reduce immediate misuse, but it does not automatically secure the vulnerable battery systems already operating on Indian roads.Ultimately, the lesson extends far beyond e-rickshaws.As vehicles, appliances and public infrastructure become smarter and more connected, cybersecurity is no longer just about protecting data. It is about protecting lives, livelihoods and public trust.
Do you think the recent e-rickshaw battery incidents reflect broader cybersecurity issues in electric vehicles?
3k+ users shared opinion today
5k+ users already voted today
3k+ users shared opinion today
Share Opinion
The real challenge is ensuring that the technologies powering India’s digital future are designed to be secure before they become indispensable.
