ARTICLE AD BOX
How an unprotected battery app and weak access controls briefly gave strangers the power to stop e-rickshaws and leave drivers stranded mid-journey.

E-rickshaws stopped midway after BMS vulnerabilty and lack of awareness (File photo)
If you're looking for a subtle, non-artistic illustration of how one person's misery can become another person's amusement, look no further than what unfolded on Indian X (formerly Twitter) and other social media platforms at large over the past few days.
E-rickshaws, often viewed as cheap and, although not solely responsible for traffic jams, frequently blamed for them, found themselves at the centre of a strange spectacle. A random individual using some app was remotely switching off running e-rickshaws, leaving drivers stranded in the middle of their journeys. 
The videos that followed became a source of chaotic amusement online. Many found the scenes hilarious, sharing memes and jokes while paying little attention to what the e-rickshaw drivers themselves might have been going through.
What appeared as harmless fun for viewers was, for those drivers, confusion, disruption and, potentially, a loss of income.
India Today's Open Source Intelligence (OSINT) team attempted to understand how the battery management system functions and how vulnerabilities, if any, may exist within the broader BMS ecosystem. The team also spoke with several e-rickshaw drivers to understand the problems they have faced since this newly "invented" misery emerged.
The issue stemmed from three immediate gaps: a Bluetooth-enabled Battery Management System (BMS) that allowed remote control functions and the "BAT-BMS" mobile utility application, developed by Shenzhen Grenergy Technology Co., Ltd., a China-based company, that exposed these controls without adequate authentication.
However, the episode also revealed a deeper problem. Almost none of the e-rickshaw drivers were aware of the password protection system embedded within the BMS. Several drivers claimed that sellers had never informed them about these features, pointing both to a lack of disclosure at the point of sale and a wider lack of awareness among drivers about the technology powering their vehicles.
While talking to India Today, one of the major e-rickshaw battery manufacturers said that "earlier systems did not have any password protection and were open to connect with." However, the manufacturer added that "updated versions now come with password protection features."
"Drivers generally do not have much use for the BMS and mostly need it to check the battery percentage. Therefore, we do not usually share the IDs and passwords with them," the dealer added.
THE TECHNOLOGY BEHIND THE CHAOS

Modern lithium batteries used in several e-rickshaws are equipped with a Battery Management System (BMS), an electronic circuit that continuously monitors the battery's voltage, temperature, current flow and charging status. In many cases, the BMS is also fitted with a Bluetooth Low Energy (BLE) module, allowing drivers, dealers or battery manufacturers to monitor battery health through a mobile application. Once a smartphone comes within Bluetooth range, typically a few metres, the application can discover the battery, establish a connection and read data such as charge level, voltage, temperature and battery condition.
In certain battery systems, the app is also given control functions, including the ability to enable or disable the battery's discharge circuit through switches inside the BMS. When this discharge path is turned off, power flow to the motor controller stops, causing the e-rickshaw to shut down. The functionality itself is designed for legitimate purposes such as maintenance, diagnostics, theft prevention and battery protection, but if access controls are weak or absent, the same feature can be misused by unauthorised users within Bluetooth range.
While India Today's OSINT team could not independently verify the security configuration of the affected batteries, the US cybersecurity and standards agency under the Department of Commerce, in its Guide to Bluetooth Security (Special Publication 800-121 Revision 1), cautions that Bluetooth implementations lacking authentication and encryption safeguards can be vulnerable to unauthorised access. The guidance notes that devices without adequate security controls may fail to prevent nearby Bluetooth-enabled devices from establishing connections. NIST further states that devices operating in Security Mode 1, which does not initiate authentication or encryption procedures, are considered non-secure because they do not provide mechanisms to protect communications or restrict access.
While we independently attempted to download the app from the Google Play Store after the issue surfaced widely, it was unavailable for download during the second half of Wednesday. However, the app is now available for download after the company fixed the bug and enabled password protection.
Also, our assessment and on-ground reporting suggested that there was indeed an issue, and that the issue now appears to have been resolved, though not the anxiety it caused.
The BAT-BMS application was used by several individuals who then uploaded videos showing e-rickshaws stranded in the middle of the road. The clips often featured confused drivers trying to explain to passengers why their otherwise slow but smooth journeys had suddenly come to a halt.
The situation, however, appears to have eased. The application, which earlier did not require a password and effectively allowed unrestricted access, has since been updated. The Google Play Store indicates that the app was updated on July 1. The revised version now requires a password before users can access functions that could affect a vehicle.
A password that neither the "random guy" seeking online amusement nor the e-rickshaw driver trying to earn a livelihood possesses. Nor do most drivers have any reason to know it. For them, the feature served no practical purpose. It was a feature nobody asked for, yet one that briefly handed strangers the power to disrupt livelihoods.
DRIVERS CAUGHT OFF GUARD
While speaking to India Today, several e-rickshaw drivers expressed anxiety, frustration, and concern. Largely unaware of the technical aspects involved, one of the drivers said, "It was happening so randomly yesterday. My e-rickshaw stopped at least seven or eight times. We did not know what was happening."
"Some random people were causing this, and we had to seek help from others who knew how to turn it back on using their mobile phones or ours," he added.
A large number of e-rickshaw drivers had to face this issue. While some drivers who had not experienced the problem said they were using "wet batteries", they claimed that the issue was largely being observed among those using "dry batteries".
Recalling the difficulties he faced, another driver said, "Customers were also refusing to pay because we could not drop them at their destination as our vehicles stopped midway, which also created traffic problems."
It was a kind of chaos that no one, certainly not those whose livelihoods depend on these vehicles, would have expected or wished for. Yet, for a brief period, it unfolded because of what appears to have been a technological vulnerability.
- Ends
Published By:
bidisha saha
Published On:
Jul 2, 2026 19:42 IST
1 hour ago
5




English (US) ·