How viral e-rickshaw hack exposes a national cybersecurity blind-spot
As India pushes electric mobility, the episode has underscored the urgent need to embed cybersecurity into product design rather than treat it as an afterthought

The episode has prompted the Union government to ask Apple and Google to remove at least seven mobile apps used to remotely disable e-rickshaws.
The controversy centres on a Bluetooth battery management application, BAT-BMS, which researchers say allows users within a range of about 10-15 metres to disconnect power to an e-rickshaw without any authentication or specialised hacking skills. The incident has already prompted police action in Madhya Pradesh and drawn the attention of the Union ministry of electronics and information technology (MeitY), raising concerns over the cyber resilience of connected vehicles.
Rather than an isolated software bug, cybersecurity experts describe the episode as evidence of a far deeper problem: critical vehicle systems being designed with wireless maintenance interfaces that lack even basic authentication.
“The e-rickshaw incident is not merely about a vulnerable app. It demonstrates how convenience has been prioritised over security in connected mobility,” say experts.
The implications extend well beyond e-rickshaws. Researchers warn that the same design philosophy—wireless maintenance access left exposed through poorly secured Bluetooth, telemetry or diagnostic interfaces—exists across a wide range of connected platforms, including civilian drones, autonomous systems and smart mobility solutions.
Many commercially available drones, particularly low-cost and prosumer platforms, rely on autopilot stacks, flight controllers and companion applications sourced through complex global supply chains. If similar authentication weaknesses exist in these systems, experts caution that attackers may not require sophisticated cyber capabilities to interfere with operations.
The e-rickshaw incident has demonstrated that physical proximity and a legitimate maintenance application can be sufficient to disable a moving vehicle. In the drone ecosystem, equivalent vulnerabilities could potentially enable forced disarming, telemetry hijacking, GPS spoofing or manipulation of geofencing features—risks that have long been discussed by cybersecurity researchers.
The growing adoption of cloud-connected features has further expanded the attack surface. Over-the-air firmware updates, remote diagnostics, fleet management tools and real-time telemetry offer operational advantages but also create new entry points if robust authentication mechanisms are absent.
Experts also point to another concern: supply-chain transparency. Authorities are now seeking answers about who developed the BAT-BMS application, where its servers are located and how operational data is handled. Similar questions remain unanswered for many drone operators and connected mobility platforms, where the origin of software components and the destination of telemetry data often remain opaque.
As India aggressively pushes electric mobility, smart transportation and autonomous technologies, the episode has underscored the urgent need to embed cybersecurity into product design rather than treat it as an afterthought.
Cybersecurity specialists argue that regulators should now consider mandatory authenticated Bluetooth pairing, digitally signed firmware, elimination of default credentials and greater transparency over software supply chains and data flows.
The episode has once again highlighted India’s overwhelming dependence on Chinese battery packs, battery management systems (BMS), electronic control units and embedded software that underpin the country’s booming e-rickshaw industry. While policymakers have focused on reducing imports of finished vehicles, cybersecurity experts argue that far less scrutiny has been applied to the electronics and firmware hidden inside imported battery systems.
Unlike mechanical components, these systems contain wireless communication modules, firmware and diagnostic interfaces capable of controlling critical vehicle functions. The identity of the software developer, where the firmware is maintained, how data is transmitted and whether adequate authentication exists often remain opaque to fleet operators and even importers.
The BAT-BMS incident has therefore transformed what initially appeared to be a simple Bluetooth vulnerability into a broader debate over trusted electronics, software supply chains and cybersecurity standards for imported EV components.
What appeared initially to be a social media prank has instead become a stark demonstration of how an unsecured wireless control interface can become a remote kill switch—and a warning that unless cybersecurity standards improve rapidly, the vulnerabilities exposed in today’s e-rickshaws could become tomorrow’s threat to India’s wider connected transport ecosystem.
Subscribe to India Today Magazine
The episode has prompted the Union government to ask Apple and Google to remove at least seven mobile apps used to remotely disable e-rickshaws.
The controversy centres on a Bluetooth battery management application, BAT-BMS, which researchers say allows users within a range of about 10-15 metres to disconnect power to an e-rickshaw without any authentication or specialised hacking skills. The incident has already prompted police action in Madhya Pradesh and drawn the attention of the Union ministry of electronics and information technology (MeitY), raising concerns over the cyber resilience of connected vehicles.
Rather than an isolated software bug, cybersecurity experts describe the episode as evidence of a far deeper problem: critical vehicle systems being designed with wireless maintenance interfaces that lack even basic authentication.
“The e-rickshaw incident is not merely about a vulnerable app. It demonstrates how convenience has been prioritised over security in connected mobility,” say experts.
The implications extend well beyond e-rickshaws. Researchers warn that the same design philosophy—wireless maintenance access left exposed through poorly secured Bluetooth, telemetry or diagnostic interfaces—exists across a wide range of connected platforms, including civilian drones, autonomous systems and smart mobility solutions.
Many commercially available drones, particularly low-cost and prosumer platforms, rely on autopilot stacks, flight controllers and companion applications sourced through complex global supply chains. If similar authentication weaknesses exist in these systems, experts caution that attackers may not require sophisticated cyber capabilities to interfere with operations.
The e-rickshaw incident has demonstrated that physical proximity and a legitimate maintenance application can be sufficient to disable a moving vehicle. In the drone ecosystem, equivalent vulnerabilities could potentially enable forced disarming, telemetry hijacking, GPS spoofing or manipulation of geofencing features—risks that have long been discussed by cybersecurity researchers.
The growing adoption of cloud-connected features has further expanded the attack surface. Over-the-air firmware updates, remote diagnostics, fleet management tools and real-time telemetry offer operational advantages but also create new entry points if robust authentication mechanisms are absent.
Experts also point to another concern: supply-chain transparency. Authorities are now seeking answers about who developed the BAT-BMS application, where its servers are located and how operational data is handled. Similar questions remain unanswered for many drone operators and connected mobility platforms, where the origin of software components and the destination of telemetry data often remain opaque.
As India aggressively pushes electric mobility, smart transportation and autonomous technologies, the episode has underscored the urgent need to embed cybersecurity into product design rather than treat it as an afterthought.
Cybersecurity specialists argue that regulators should now consider mandatory authenticated Bluetooth pairing, digitally signed firmware, elimination of default credentials and greater transparency over software supply chains and data flows.
The episode has once again highlighted India’s overwhelming dependence on Chinese battery packs, battery management systems (BMS), electronic control units and embedded software that underpin the country’s booming e-rickshaw industry. While policymakers have focused on reducing imports of finished vehicles, cybersecurity experts argue that far less scrutiny has been applied to the electronics and firmware hidden inside imported battery systems.
Unlike mechanical components, these systems contain wireless communication modules, firmware and diagnostic interfaces capable of controlling critical vehicle functions. The identity of the software developer, where the firmware is maintained, how data is transmitted and whether adequate authentication exists often remain opaque to fleet operators and even importers.
The BAT-BMS incident has therefore transformed what initially appeared to be a simple Bluetooth vulnerability into a broader debate over trusted electronics, software supply chains and cybersecurity standards for imported EV components.
What appeared initially to be a social media prank has instead become a stark demonstration of how an unsecured wireless control interface can become a remote kill switch—and a warning that unless cybersecurity standards improve rapidly, the vulnerabilities exposed in today’s e-rickshaws could become tomorrow’s threat to India’s wider connected transport ecosystem.
Subscribe to India Today Magazine