https://indianmasterminds.com

ADVERTISEMENT
ADVERTISEMENT

E-Rickshaw ‘Hack’ Exposes India’s EV Cybersecurity Blind Spot

The misuse of battery management apps to remotely disable e-rickshaws has exposed a critical weakness in India's EV ecosystem. Experts Virag Gupta and Vinkesh Gulati tell Indian Masterminds that the real threat is not sophisticated hacking, but insecure battery management systems, underscoring the urgent need for stronger cybersecurity standards, stricter regulation and secure-by-design electric mobility.
Indian Masterminds Stories

There is an emerging cybersecurity risks in the field of Indian electric mobility, by the misuse of battery management apps such as BAT-BMS, Lossigy, and Epoch Li-ion to remotely halt e-rickshaws. Here, experts and stakeholders argue that the issue is not a sophisticated cyberattack but a design vulnerability in insecure Bluetooth-enabled Battery Management Systems (BMS), exposing gaps in EV security, regulation, and supply chains. The piece also explores legal, policy, and technological implications, calling for stronger cybersecurity standards and enforcement. It incorporates expert insights from Virag Gupta, Advocate Supreme Court & Cyber Law Expert and Vinkesh Gulati, Chairperson at Automotive Skills Development Council as well as Former president of the Federation of Automobile Dealers Associations of India (FADA) who emphasise the need for robust regulatory frameworks, secure system design, and greater accountability across the EV ecosystem.

A New Kind of Threat: When Mobility Meets Cyber Vulnerability

India’s electric mobility revolution, often celebrated as a model of rapid, low-cost innovation, has encountered a critical inflection point. What began as seemingly harmless prank, showing e-rickshaws being abruptly halted using smartphone applications, has now evolved into a serious cyber risk scenario that challenges the very foundations of connected mobility systems. The misuse of battery management applications such as BAT-BMS, Lossigy, and Epoch Li-ion to remotely disrupt e-rickshaws mid-ride has exposed a fundamental vulnerability: the increasing convergence of physical infrastructure and unsecured digital interfaces.

Unlike traditional cyber threats that focus on data theft, financial fraud, or privacy breaches, this episode signals a more tangible and immediate risk, the ability to manipulate physical systems through digital access. The implications are profound. When a vehicle can be stopped remotely by an unauthorised user within Bluetooth range, the distinction between cyber risk and physical safety collapses. The Battery Management System (BMS), originally designed as a protective mechanism to regulate battery health and prevent hazards, is transformed into an unintended “kill switch” due to insecure design practices.

Yet, as Vinkesh Gulati, Chairperson, Automotive Skills Development Council, rightly points out, this should not be viewed as a crisis alone, but as an early warning. He emphasises that what is being widely labelled as a “cyber threat” is, in technical terms, “a cybersecurity vulnerability arising from insecure system design rather than a sophisticated cyberattack.” This distinction is not merely semantic, it shifts the narrative from external malicious intent to internal systemic shortcomings in engineering, regulation, and oversight.

Adding another layer of complexity, Virag Gupta, Supreme Court Advocate & Cyber Law Expert situates the issue within a broader national security context. He recalls how, following the Galwan Valley clash, the Indian government blocked hundreds of Chinese applications over concerns related to data security, sovereignty, and potential remote interference. Similar apprehensions were also raised in the context of surveillance infrastructure such as CCTV cameras. The current e-rickshaw episode, Virag Gupta suggests, is not an isolated incident but part of a larger pattern where digital vulnerabilities intersect with geopolitical and technological dependencies.

Also Read – How IPS Abhinay Vishwakarma Led Katni Police to ISO Certification for 16 Units, Setting a New Standard in Citizen-Centric Policing

Anatomy of the Risk: Design Flaws, Not Just App Misuse

At the heart of the controversy lies a misconception: the problem is not the applications themselves, but the insecure systems they interact with. Applications like BAT-BMS, developed by Shenzhen Grenergy Technology, are legitimate tools designed to monitor lithium-ion battery performance. They provide users with real-time data on charge levels, voltage, temperature, and cell health, functions that are essential for efficient EV operation.

However, in many low-cost e-rickshaws, the BMS units are equipped with Bluetooth Low Energy (BLE) connectivity without adequate authentication protocols. This means that any device within a 10-15 metre radius can connect to the system if it has access to a compatible application. The absence of password protection, encryption, or device verification creates an open gateway for misuse.

Vinkesh Gulati explains that the vulnerability lies in “insecure Bluetooth pairing, weak authentication, and poor access control between the BMS and the mobile application.” The battery hardware itself is not flawed; rather, it is the communication layer that introduces risk. This is a classic case of ‘failure to implement secure-by-design principles’, where convenience and cost-efficiency take precedence over safety and resilience.

Also, Virag Gupta expands the scope of concern by pointing out that the removal of a handful of apps does not resolve the underlying issue. “Dozens of such Bluetooth tools, WiFi spoofing apps, GPS jammers, tracker disablers, and OBD code scanners are easily available on app stores,” he notes. This highlights a gap in digital ecosystem governance, where tools capable of interacting with critical infrastructure are widely accessible without adequate regulation.

The problem is further compounded by supply chain opacity. A significant proportion of BMS units and electronic components used in India’s e-rickshaws are imported, often without transparent documentation of firmware origins, security testing, or update mechanisms. This creates a scenario where vulnerabilities may remain undetected until they are exploited in real-world conditions.

Immediate Fallout: Safety, Livelihood, and Public Trust

The consequences of this vulnerability are unfolding on the streets. E-rickshaw drivers in cities like Delhi have reported sudden vehicle shutdowns, often in the middle of traffic. Such incidents pose immediate safety risks, increasing the likelihood of accidents and endangering both drivers and passengers.

Beyond safety, the economic impact is significant. E-rickshaw drivers operate on narrow margins, relying on daily earnings for sustenance. A stalled vehicle not only disrupts income but also incurs repair costs, typically ranging between I.N.R. 500 and 800. For many drivers, this represents a financial burden.

The psychological impact is equally important. Trust in technology is a critical factor in the adoption of new mobility solutions. When users perceive a system as unreliable or vulnerable, confidence erodes rapidly. The idea that a vehicle can be controlled, or disabled, by an unknown individual with a smartphone undermines the very premise of connected mobility.

However, Vinkesh Gulati cautions against blanket generalisations. He notes that such vulnerabilities are more prevalent in the low-cost segment, where off-the-shelf components may not undergo rigorous cybersecurity validation. In contrast, established EV manufacturers typically employ advanced security architectures, including encrypted communication, multi-layered authentication, and over-the-air security updates.

Government Response: Reactive Measures and Emerging Realisation

The government’s decision to direct the removal of BAT-BMS, Lossigy, and Epoch Li-ion from app platforms represents a swift and necessary response. It signals an acknowledgment that digital tools interacting with physical systems can have far-reaching consequences.

Yet, as Virag Gupta points out, this approach is inherently reactive. “After the Galwan incident, app bans were justified on grounds of sovereignty and security. This case reflects similar concerns, but requires a more systemic response,” he argues. The government has also initiated investigations into vulnerabilities across the ecosystem, indicating a broader recognition of the issue.

He advocates for the immediate enforcement of the Digital Personal Data Protection Act, 2023 and its associated rules. He suggests that platforms like Google and Apple should be mandated to host only those applications that comply with Indian legal and security standards.

From a legal standpoint, existing provisions under Sections 43 and 66 of the Information Technology Act, 2000 provide a framework for addressing unauthorised access and damage to computer systems, with penalties including imprisonment of up to three years and fines o I.N.R. 5 lakh. Additionally, offenders may be prosecuted under the Bharatiya Nyaya Sanhita, 2023, while victims can seek compensation through civil remedies.

However, the incident highlights the limitations of current legal frameworks, which were not designed to address the convergence of digital and physical risks. There is a growing need for hybrid regulatory models that encompass both cybersecurity and product safety.

Possible Solutions: Securing the EV Ecosystem from the Ground Up

Addressing the vulnerabilities exposed by this incident requires a multi-layered approach that spans technology, policy, and industry practices.

At the technical level, manufacturers must adopt secure-by-design principles. This includes implementing strong authentication protocols for Bluetooth connectivity, encrypting communication channels, and eliminating default credentials. Firmware must be digitally signed and regularly updated to prevent unauthorised modifications.

Former FADA President, Vinkesh Gulati strongly advocates for the introduction of a cybersecurity certification regime for connected vehicle components. “We already certify vehicles for crash safety and emissions. Connected components must now be certified for cybersecurity as well,” he argues. As vehicles become increasingly software-defined, cybersecurity must be treated as a core aspect of engineering.

Virag Gupta, on the other hand, emphasises ecosystem-level reforms. He calls for stricter regulation of app marketplaces, enforcement of data protection laws, and enhanced scrutiny of digital tools that interact with physical systems. The role of intermediaries such as app stores must evolve from passive distribution platforms to active gatekeepers of security compliance.

Supply chain transparency is another critical area. As Vinkesh Gulati highlights, India’s dependence on imported components creates vulnerabilities if firmware sources and security protocols are not adequately vetted. Measures such as supply chain traceability, trusted component certification, and localisation of critical electronics can help mitigate these risks.

For e-rickshaw owners and operators, immediate steps include disabling unnecessary Bluetooth access, updating systems where possible, and relying on certified service providers. Awareness and digital literacy will play a key role in mitigating risks at the user level.

Future Discourse: Regulation & Responsibility

The e-rickshaw controversy is likely to have far-reaching implications for approach to connected mobility. For policymakers, it show the urgency of integrating cybersecurity into EV regulations. This may lead to the introduction of mandatory certification standards, stricter compliance requirements, and enhanced oversight of digital platforms.

For manufacturers, the incident signals a shift in accountability. Delivering affordable solutions will no longer suffice without ensuring robust security. Cybersecurity will need to be embedded into the design and development process, rather than added as an afterthought. Virag Gupta frames the issue within a broader geopolitical context, where digital infrastructure, data sovereignty, and foreign interference are increasingly interconnected. Vinkesh Gulati, meanwhile, emphasises the importance of balanced regulation that fosters innovation while ensuring safety.

As connected technologies expand to include drones, autonomous vehicles, and smart city infrastructure, the risks demonstrated in e-rickshaws could scale significantly. The challenge lies in ensuring that security evolves in tandem with technological advancement.

Conclusion: Wake-Up Call for Connected India

The misuse of BAT-BMS, Lossigy, and Epoch Li-ion is not merely a case of app exploitation, it is a stark reminder of the vulnerabilities inherent in poorly secured connected systems. It highlights the urgent need for a paradigm shift in how India approaches the intersection of digital technology and physical infrastructure. As both Vinkesh Gulati and Virag Gupta emphasise, this moment should be treated as an early warning. The path forward lies in building a secure, resilient, and transparent EV ecosystem where cybersecurity is not optional, but foundational.

India’s electric mobility journey is at a crossroads. The decisions taken today will determine whether it becomes a model of secure innovation or a cautionary tale of unchecked technological adoption.

Also Read – 105 in 11 Months: How IPS Officer Krushikesh Rawale Quietly Dismantled an Illegal Immigration Network in Pune


Indian Masterminds Stories
ADVERTISEMENT
ADVERTISEMENT
Related Stories
ADVERTISEMENT
ADVERTISEMENT
NEWS
IPS Officers
ACC Approves Key IPS Appointments: Alok Mittal Named BPR&D DG, Amit Garg Gets NCRB, Sujeet Pandey to Head SVPNPA
West Bengal OBC Reservation
West Bengal Extends Suspension of 3 IPS Officers by 120 Days in RG Kar Rape-Murder Case; CBI Continues Fresh Probe
UFOSS Project
UFOSS Project Explained: Why India Is Building a Seabed Cable Network to Track Chinese and Pakistani Submarines
Madhya Pradesh Kuwait fisheries
Madhya Pradesh Signs ₹7,430 Crore Kuwait Fisheries Investment Deal to Boost Exports, Jobs and Aquaculture Growth
INS Mahendragiri
INS Mahendragiri to Strengthen Indian Navy: Know It's Features, Capabilities, Weapons and Commissioning Date
Adani Group Defence Manufacturing Facility Shivpuri
Adani Group Expands Defence Business with ₹2,500 Crore Manufacturing Complex in Shivpuri, Madhya Pradesh
Indian Army ₹75000 crore Fleet Modernization Programme
Indian Army Launches ₹75,000 Crore Modernisation Programme to Upgrade Armoured Fleet
Gaganyaan Mission
Explained: How ISRO's Successful SOLVE Ground Test Strengthens the Gaganyaan Mission
ADVERTISEMENT
ADVERTISEMENT
Videos
Divyanshu patel
How A Single-Minded Devotion of Divyanshu Patel Transformed Moradabad
IAS Divyanshu Patel Moradabad
The 5 am IAS Officer Who Transformed An Entire City
NDA Cadet
From History to Heroism: How NDA's First Women Cadets Changed the Academy Forever
ADVERTISEMENT
UPSC Stories
ChatGPTImageJul62026at03_08_06P-2
Balancing Job & Dreams: How Jasmeet Kaur Turned Her Father's Dream into Reality with Rank 1 in UK PCS-2024
Jasmeet Kaur secured Rank 1 in the UKPSC-2024 examination after balancing her duties as a District Social...
Rakesh R UPSC IFS 2025
How Tuticorin's Floods Inspired Rakesh R to Join Indian Forest Service 
Discover how UPSC IFS 2025 AIR 85 Rakesh R transformed childhood experiences of Tuticorin floods into...
Abhijeet Patil
At 22, One of India’s Youngest IPS Officers Is Taking on Gangsters and Human Traffickers in Rajasthan
One of India’s youngest IPS officers, 2023-batch Rajasthan cadre officer Abhijeet Tulshiram Patil has...
CSR NEWS
REC (CSR Initiative)
REC Limited Empowers Women in West Bengal with 600 Sewing Machines Under CSR Initiative
New programme in Bangaon aims to promote self-employment, financial independence, and sustainable livelihoods...
REC
REC Ltd Signs ₹4.22 Crore CSR MoA with IGIAT to Build 100 Smart Classrooms in Assam Government Schools
REC Limited partners with IGIAT to modernise rural education in Lakhimpur and Kaziranga by introducing...
NLC
NLC India Signs ₹21.40 Lakh CSR MoU with Auroville Foundation for Electric Vehicles to Promote Green Mobility
Partnership aims to boost eco-friendly transportation in Auroville, reduce carbon emissions, and strengthen...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
Latest
IPS Officers
ACC Approves Key IPS Appointments: Alok Mittal Named BPR&D DG, Amit Garg Gets NCRB, Sujeet Pandey to Head SVPNPA
West Bengal OBC Reservation
West Bengal Extends Suspension of 3 IPS Officers by 120 Days in RG Kar Rape-Murder Case; CBI Continues Fresh Probe
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
Videos
Divyanshu patel
IAS Divyanshu Patel Moradabad
NDA Cadet
ADVERTISEMENT
ADVERTISEMENT