July 4, 2026
Beyond a Prank: Why India’s E-Rickshaw Vulnerability Is a Warning About Connected Infrastructure
In July 2026, viral social media videos from India showed passers-by using a smartphone app to “switch off” moving electric rickshaws. The…

By Satyajit Sethi
2 min read
In July 2026, viral social media videos from India showed passers-by using a smartphone app to "switch off" moving electric rickshaws. The culprit turned out to be a design flaw in low-cost Battery Management Systems (BMS) used in many e-rickshaws. In affected models, manufacturers had shipped the Bluetooth link open no pairing code, no authentication, and no encryption. As a result, anyone within Bluetooth range could connect via an off-the-shelf mobile app and issue a shutdown command identical to what a technician would use.
A Battery Management System is the brain of a lithium-ion pack. In e-rickshaws, the BMS's job is to monitor each cell's voltage, temperature and state-of-charge, balance cells, and enforce protective cut-offs if unsafe conditions arise (e.g. overcharge, overheating). To control power flow, the BMS uses high-current transistors (MOSFETs) as switches. In normal operation, these MOSFETs close the circuit to allow power to the motor under fault or shutdown commands, they open the circuit and cut power. To enable convenience and maintenance, many modern BMS units include a Bluetooth Low Energy (BLE) radio module. This lets technician a connect a smartphone to the battery pack without disassembling it. The phone runs an app that communicates with the BMS via BLE to read status data.
So, any BLE-capable phone within range can run the BAT-BMS application, connect to the BMS, and exchange data. Android documentation notes that once two devices pair via BLE, "the data that's communicated between them is accessible to all apps on the user's device". This means one could intercept or forge commands if the BLE link is not encrypted. But in this case, the major issue was that no pairing or encryption was even required. The app established a GATT connection immediately. The process is similar to Wi-Fi but without a password: as soon as the phone is nearby, the BMS happily talks to it.
There is an old tension in security between disclosure that helps defenders and disclosure that arms opportunists. Once the vulnerability became widely known, exploitation accelerated dramatically. This incident is a perfect case study in how modern distribution collapses the gap between "a flaw exists" and "everyone can trigger it". Moreover, the availability of the BAT-BMS app on the Play store meant that anyone could participate without special skills. The app's UI itself was the interface to exploitation.
Although it may appear to be a harmless prank, remotely disabling an e-rickshaw poses serious safety and operational risks. Sudden vehicle shutdowns can cause accidents, traffic congestion, and endanger passengers and pedestrians. For drivers, this hits livelihoods.
Beyond immediate safety, the national security implications of insecure IoT are mostly theoretical at this point, but serious. These vulnerable BMS units and apps largely came from Chinese manufacturers, dependency on foreign EV tech. At present there is no evidence that BAT-BMS or related apps have malicious features. But hypothetically, the lack of scrutiny on all such applications could let a future actor inject malware.
To prevent this class of vulnerability, manufacturers must incorporate layered security from the start. Key measures include:
Authenticated pairing by default: Use Secure Connections for key exchange. Require a user-set passkey or PIN during pairing so that only authorized phones can connect. Per-device, non-default credentials: No shared factory password Command Authentication & Encryption: critical commands (like "stop discharge") should include cryptographic integrity checks. Secure Firmware Updates: Implement secure OTA (over-the-air) update mechanisms. Access Control & Logging: If possible, implement simple access control lists so that each BMS "remembers" paired device IDs and rejects unknown ones.
The e-rickshaw "Kill switch" vulnerability in India was a wake-up call. It was an insecure design made dramatically visible by viral media, not a secret foreign cyberattack. But its implications stretch beyond rickshaws: it illustrates how ordinary technologies (BLE, battery packs, smartphone apps) can be weaponized when security is overlooked. This event underscores that every connected control interface in a physical system must be protected.
"The e-rickshaw driver pushing his silent vehicle to a workshop deserves better than a banned app."