One morning in Delhi, an e-rickshaw driver discovered that his vehicle had suddenly stopped in the middle of a busy road. There were no warning signals, smoke, or signs of mechanical failure—the machine simply ceased to move.
Assuming it was a technical fault, he took it to a local mechanic. However, subsequent events surprised him: the mechanic opened a mobile application, pressed a few buttons, and within minutes, the rickshaw started working again.
Scale of the Problem
But the relief was short-lived. According to the driver, whose information was passed to the news agency IANS, a similar situation occurred when he was transporting passengers. Each time, the vehicle would stop without warning, leading to loss of income and the need to pay for restarting it.
What initially seemed like an isolated glitch turned into a nationwide cybersecurity issue affecting electric mobility, public safety, and gaps in the digital protection of everyday transport.
Government and Expert Reaction
Viral videos on social media show people using applications to remotely disable moving e-rickshaws. Following these reports, the Ministry of Electronics and Information Technology (MeitY) instructed Google and Apple to remove several battery management applications, including BAT-BMS, Lossigy, and Epoch i-ion, while simultaneously investigating their cybersecurity risks.
At first glance, the problem appears to be a malfunction in a specific application. However, experts argue that the root cause is deeper—it lies in the unsecured battery systems installed in thousands of inexpensive electric vehicles.
How the Hack Occurs
The conflict intensified after videos surfaced showing people scanning nearby e-rickshaws and disabling their batteries while in motion using Bluetooth-based applications. Drivers often found themselves stranded, unaware of the reason for the stop. Many mistakenly assumed it was a breakdown and paid mechanics for repairs, only later learning that the battery had been disabled remotely.
Following these incidents, MeitY ordered the removal of the applications and began investigating the cybersecurity implications. The Delhi Transport Department also launched an inquiry, and police in cities like Uddhain registered cases regarding alleged attackers disabling vehicles and demanding money for their restart.
Core System Vulnerability
Cybersecurity experts caution against focusing solely on the application. The BAT-BMS application was originally developed by Shenzhen Grenergy Technology to monitor lithium-ion batteries. It allows users to track voltage, temperature, current, charging cycles, and battery status, and includes maintenance functions such as enabling or disabling battery discharge.
The problem arises when this control becomes accessible to unauthorized users. Certified ethical hacker Abdultaiyeb Chechatwala told TOI that the issue lies in the system architecture itself, not the application. He noted: 'The problem is not in the name of the application. It is in the logic of how the Battery Management System accepts commands.'
According to Chechatwala, many manufacturers of inexpensive batteries use generic software from third-party suppliers that lacks robust encryption and authentication. If the BMS accepts commands from any nearby device without identity verification, almost any compatible application can interact with it. He emphasized that manufacturers should have implemented encryption, secure key exchange, and proper authentication so that only authorized users could access battery management.
Battery Management System Functions
Each lithium-ion battery pack contains an electronic controller known as the Battery Management System (BMS). Although hidden from users, it performs one of the most critical functions in an electric vehicle. The BMS constantly monitors voltage, temperature, charging rate, cell balancing, and overall battery health. If unsafe conditions arise, the system can disconnect the battery to prevent overheating, overcharging, or irreversible damage.
Many manufacturers also enable Bluetooth connectivity, allowing technicians or vehicle owners to monitor battery performance via a smartphone instead of specialized equipment. However, this convenience creates a new challenge in cybersecurity. If the wireless connection is not properly secured with a password, encryption, or secure authentication, virtually anyone nearby can connect to the battery.
Remote Disconnection Mechanism
It is important to note that, contrary to viral claims, no one is 'hacking' an e-rickshaw from kilometers away. The reported attacks are based on Bluetooth, which requires the person attempting to access the battery to be physically close to the vehicle—usually within 10–20 meters. The process is relatively simple on unsecured systems.
When an e-rickshaw with a vulnerable, Bluetooth-enabled battery is within range, the application scans for nearby BMS systems. If the battery does not require authentication or continues to use default factory credentials, the application can establish a connection. After connecting, the user gains access to maintenance functions built into the BMS itself. One such function is controlling battery discharge, meaning deciding whether the battery should supply power to the vehicle.
Consequences of Power Loss
The problem occurs when this function becomes available to anyone nearby. Applications like BAT-BMS, Lossigy, and Epoch i-ion could connect to some unsecured battery systems because many manufacturers of inexpensive batteries either left Bluetooth connections without passwords or relied on easily accessible factory credentials. Once the connection is established, the user can simply disable the battery discharge. At the moment of power disconnection from the battery to the motor, the vehicle stops immediately. Since the battery is disconnected by the BMS, not the ignition, restarting the vehicle is impossible until someone restores the connection to the battery and re-enables the discharge function.
Risks to Life and Business
For drivers unfamiliar with technology, the vehicle appears to have suffered a mysterious mechanical failure. This confusion, it is reported, allowed some individuals to exploit stranded drivers, demanding money just to restore the battery connection through the same application.
Although not every electric vehicle is vulnerable, this situation highlights the risks associated with inexpensive connected devices where accessibility is prioritized over digital security. For many people, what looked like a joke online had real consequences. E-rickshaw drivers often depend on this transport as their primary source of income. One driver told IANS that after his vehicle was stopped, he learned the battery had been digitally disabled and paid about 300 rupees to restore it. Another case, documented by influencer Aaman Siddiqui, showed a driver losing a whole day's income while his vehicle remained non-operational for hours.
The Future of Electric Vehicles
The question arises: if an e-rickshaw can be remotely disabled, could hackers eventually target electric cars? Experts believe the answer is different now. Most passenger electric vehicles use significantly more complex battery management systems with multiple layers of cybersecurity. The connection between the battery systems and the vehicle's electronics is usually encrypted, authenticated, and integrated into secure automotive networks. Generic Bluetooth applications cannot simply connect to these systems.
Nevertheless, cybersecurity researchers caution against complacency. Chechatwala notes that modern connected devices increasingly rely on wireless communication technologies, including Bluetooth, Wi-Fi, and radio frequency systems. Where security is poorly designed, attackers may attempt replay, relay, or protocol manipulation attacks using specialized equipment. He concludes: 'The lesson is that every connected device—whether it is an e-rickshaw battery, a drone, a smart appliance, or a connected car—must be designed with security in mind from the beginning. As more physical devices become digital, the attack surface expands.'

