Videos spreading across Indian social media this week showed people using freely available mobile apps to remotely disable electric rickshaws and loaders while drivers were mid-trip. The trick required no hacking skill: anyone within roughly 10 to 15 metres could connect to a vehicle's battery management system over Bluetooth and cut its power output. The root cause is not a software exploit but a basic governance failure: budget EV makers shipped vehicles with battery systems that have no meaningful access controls.
A battery management system, or BMS, is the embedded controller inside a lithium-ion battery pack. It monitors charge levels, voltage, temperature, and discharge behaviour, and prevents overcharging or overheating. In many budget electric rickshaws and loaders, these BMS units communicate via Bluetooth and are paired with generic companion apps such as BAT BMS, Lossigy, and Epoch Li-ion, several of which are of Chinese origin. The apps are legitimate diagnostic tools. The problem is that the BMS firmware beneath them never required authentication before accepting commands, including the command to shut the battery off entirely.
Cybersecurity intelligence firm pi-labs founder and CEO Ankush Tiwari put it plainly: the vulnerability is not in the app but in battery vendors skipping access control on the BMS firmware entirely. Ethical hacker and cybersecurity analyst Karan Saini pointed to a GitHub post published several years ago that had already demonstrated how easily those protections could be bypassed, suggesting the industry had clear warning and did not act on it.
Who Is Exposed and How Wide Is the Problem
The affected OEMs include Yatri, Mayuri, Vande Bharat, and City Life, based on independent verification. Drivers across multiple brands were using the same BAT BMS app, which points to a shared supply chain problem rather than one rogue manufacturer. Five-wheeler electric loader drivers reported identical incidents, confirming the issue is not limited to e-rickshaws. IDfy principal product manager Nikhil Jhanji said any OEM using insecure BMS components, imported battery packs, weak Bluetooth pairing, default credentials, or poorly designed apps faces the same exposure.
The government responded by directing Google and Apple to remove at least seven such apps from their stores. Saini criticised that move directly: removing the apps blocks legitimate users, specifically drivers who depend on them to monitor battery health and regain control if another device disables their BMS. The Ministry of Electronics and Information Technology (MeitY) has launched an investigation, but experts say the problem sits far deeper than any app store.
India introduced AIS-189, which mandates a certified Cybersecurity Management System for new vehicle models from October 2025. Tiwari said the stronger fix is a certification and security-standard requirement for BMS units sold in the Indian EV market, similar to how telecom equipment requires type approval. That framework currently places responsibility on OEMs but does not clearly cover third-party hardware and embedded software imported through the broader component supply chain.
A Second Risk: Where Driver Data Goes
Beyond the power cut-off, the same apps collect GPS location, driver behaviour, vehicle usage patterns, and operational logs. Jhanji noted that battery health data combined with GPS and user identifiers can reveal where a person works, how long they operate, where they travel, and their daily routine, placing it firmly inside the scope of India's Digital Personal Data Protection (DPDP) Act. That law requires organisations processing personal data to maintain security safeguards, consent mechanisms, and grievance redressal processes.
Tiwari identified a compounding risk: if the same unsecured architecture that allows a power cut-off also transmits location data insecurely, driver movement patterns become accessible to anyone who can reach the same app layer. Enforcement of the DPDP Act in the budget EV battery vendor space is, by expert consensus, largely untested. When app ownership and back-end infrastructure remain opaque, tracing where data ultimately flows is close to impossible.
The governance gap is sharpest in India's unorganised e-rickshaw segment. There are an estimated 20 lakh e-rickshaws on the road, and only about half are registered. Saini said OEMs should be held accountable and that regulations for critical vehicle components and proper licensing are long overdue. He added that importing parts and assembling them without a robust governance framework is no longer a sustainable approach.
Experts outlined the minimum changes needed: role-based access control separating OEMs, dealers, service staff, and fleet operators; limits on retaining location and usage data; stricter due diligence of BMS and software vendors; incident response mechanisms; and the ability for authorised users to revoke or reset access credentials. Technical safeguards alone, including secure pairing, unique device credentials, encrypted communication, and audit logs, are necessary but not enough without supply-chain transparency about where firmware originates and who controls the underlying hardware.
The same questions extend to the broader IoT ecosystem, from smart locks and connected appliances to any imported white-labelled device paired with an app of opaque ownership. As Jhanji summarised: India's EV ecosystem cannot scale on hardware alone. Privacy, cybersecurity, and vendor governance need to be built into connected vehicles from the start, not retrofitted after a viral video forces the issue.