AI Generated

How a Battery App Left E-Rickshaws Stranded Mid-Ride and Exposed a Serious Security Flaw

Weak Bluetooth security exposed e-rickshaw batteries, disrupting drivers' livelihoods before developers introduced password protection nationwide.

Supported by

A security flaw in a Bluetooth-enabled Battery Management System (BMS) used in several lithium battery-powered e-rickshaws briefly allowed unauthorised users to remotely disable vehicles, leaving drivers stranded in the middle of trips and disrupting their livelihoods.

The issue, investigated by India Today’s Open Source Intelligence (OSINT) team, was linked to the BAT-BMS mobile application developed by Shenzhen Grenergy Technology Co., Ltd., which reportedly exposed critical battery controls without adequate authentication.

Videos of e-rickshaws stopping unexpectedly went viral across X (formerly Twitter) and other social media platforms, where many users treated the incidents as entertainment.

However, for drivers, the disruption meant confusion, loss of income, traffic congestion and strained interactions with passengers who were unable or unwilling to complete fares.

Battery manufacturers and dealers acknowledged that earlier versions of the system lacked password protection but said updated versions now include authentication features.

The application has since reportedly been updated to require passwords before users can access functions capable of affecting a vehicle, bringing the immediate issue under control while raising broader questions about cybersecurity, product design and consumer awareness in India’s rapidly growing electric mobility ecosystem.

When Technology Turns Against Livelihoods

According to India Today’s investigation, the problem centred on the Battery Management System (BMS), an electronic circuit built into modern lithium batteries that continuously monitors battery voltage, temperature, charging status and overall health.

Many such BMS units are equipped with Bluetooth Low Energy (BLE), enabling users to monitor battery performance through a smartphone application.

While these functions are intended for diagnostics, maintenance, battery protection and theft prevention, certain systems also allow users to remotely enable or disable the battery’s discharge circuit. Disabling this circuit interrupts power supply to the motor controller, causing an e-rickshaw to stop operating.

The investigation suggested that the BAT-BMS application initially lacked adequate authentication, allowing nearby individuals within Bluetooth range to connect to compatible batteries and access control functions.

Several videos subsequently surfaced online showing moving e-rickshaws abruptly stopping, with bewildered drivers attempting to restart their vehicles while passengers looked on. Speaking to India Today, one affected driver said, “It was happening so randomly.

My e-rickshaw stopped at least seven or eight times. We did not know what was happening.” Another driver recalled that passengers refused to pay because the vehicle failed to complete the journey, adding that stalled rickshaws also contributed to traffic congestion. Many drivers admitted they had little understanding of the underlying technology and were unaware that their batteries even supported password protection.

Manufacturers and dealers pointed to another significant issue: lack of awareness. One major battery manufacturer reportedly acknowledged that earlier systems “did not have any password protection and were open to connect with”, while adding that updated versions now include password protection.

A dealer further explained that drivers generally use the application only to monitor battery percentage and therefore are not usually provided with login credentials or passwords.

This gap between technological capability and user awareness meant that drivers neither knew how to secure their systems nor how to respond when unauthorised users exploited the vulnerability.

A Wake-Up Call for Connected Mobility

Beyond the viral videos, the episode exposed a wider challenge facing connected electric vehicles and smart mobility devices. As batteries, charging systems and vehicle components become increasingly digitised, cybersecurity is becoming as important as mechanical reliability.

The US National Institute of Standards and Technology (NIST), in its Guide to Bluetooth Security (Special Publication 800-121 Revision 1), cautions that Bluetooth implementations lacking authentication and encryption safeguards may permit unauthorised access from nearby devices.

Systems operating without appropriate authentication mechanisms are considered insecure because they fail to adequately protect communications or restrict access to sensitive functions.

India Today’s OSINT team noted that while it could not independently verify the exact security configuration of every affected battery, its on-ground reporting suggested that the vulnerability existed and has now largely been addressed.

The BAT-BMS application reportedly disappeared from the Google Play Store shortly after the issue gained widespread attention before returning with an updated version dated July 1 that now requires password authentication for access to critical controls.

Although the immediate security gap appears to have been patched, the incident has reignited discussions about cybersecurity standards for connected devices, manufacturer responsibility, software testing, dealer transparency and user education.

Experts have long argued that as India’s electric mobility sector expands rapidly, digital safety must become a core component of product design rather than an afterthought, particularly when software vulnerabilities have the potential to directly affect public safety and people’s livelihoods.

Notably, no government agency had issued a detailed public statement on the incident at the time of India Today’s report. The responses instead came primarily from battery manufacturers and dealers, who acknowledged earlier shortcomings and highlighted the introduction of password-protected updates.

The episode nevertheless underscores the growing need for stronger cybersecurity oversight, standardised security requirements and clearer consumer guidance for connected vehicle technologies.

The Logical Indian’s Perspective

The incident serves as a reminder that behind every viral clip is a real person whose daily life and livelihood may be affected.

While social media often rewards novelty and humour, the videos of stranded e-rickshaws reflected more than an internet prank they highlighted how technological vulnerabilities, poor communication and inadequate security practices can disproportionately impact workers who depend on these vehicles to support their families.

Innovation should empower people, not expose them to avoidable risks or leave them vulnerable because they were never informed about the technology they rely upon.

Also read: SIR Begins in Karnataka: Everything Voters Need to Know About the Door-to-Door Enumeration Process

#PoweredByYou We bring you news and stories that are worth your attention! Stories that are relevant, reliable, contextual and unbiased. If you read us, watch us, and like what we do, then show us some love! Good journalism is expensive to produce and we have come this far only with your support. Keep encouraging independent media organisations and independent journalists. We always want to remain answerable to you and not to anyone else.

Featured

Amplified by

Ministry of Road Transport and Highways

From Risky to Safe: Sadak Suraksha Abhiyan Makes India’s Roads Secure Nationwide

Amplified by

P&G Shiksha

P&G Shiksha Turns 20 And These Stories Say It All

Recent Stories

For Two Nights in June, Mumbai’s Sea Link and Asiatic Library Wore Light Like They’ve Never Worn It Before

Meet Muhammad Aziz The Hyderabad ‘Food Man’ Who Feeds Hundreds Every Morning Before Heading to Work

Gojek Founder Nadiem Makarim Sentenced To 10 Years In Chromebook Corruption Case, Here’s What Happened

Contributors

Writer : 
Editor : 
Creatives :