A recent wave of viral social media videos captured numerous e-rickshaws inexplicably grinding to a halt across India. Investigations revealed that a Chinese application, BAT-BMS, developed by Shenzhen Grenergy Technology, was allegedly used to remotely disable these vehicles by cutting off their battery discharge function. The app reportedly allowed anyone within a 10-15 meter Bluetooth range to connect to the e-rickshaws and interfere with their operation.
Government Issues Urgent Advisory on EV Cyber Vulnerabilities
The widespread disruption and public concern prompted the Indian government to take immediate action. The Ministry of Heavy Industries issued an “urgent advisory” to key automotive industry bodies, including the Society of Indian Automobile Manufacturers (SIAM), the Automotive Component Manufacturers Association of India (ACMA), and various testing agencies like ARAI, iCAT, NATRAX, and GARC. The advisory highlighted critical cyber vulnerabilities in electric vehicles that require urgent attention.
While the app itself is a legitimate tool for managing Bluetooth-enabled battery systems, the government identified a significant security loophole. This vulnerability arises when low-cost lithium battery packs are deployed with default factory settings, weak passwords, or a complete lack of Bluetooth authentication, making them susceptible to unauthorized access.
Apps Removed, But Core Flaws Remain
The Ministry of Electronics and Information Technology (MeitY) has already moved to remove BAT-BMS, along with similar apps like Epoch Li-ion, SMART BMS, and Lossigy, from app stores. However, officials caution that merely removing these applications addresses only the symptom, not the underlying security flaws within the vehicle's communication interfaces.
Industry Mandated to Enhance Cyber Security Protocols
To safeguard the burgeoning EV sector from future cyber threats, the government has directed the industry to take several immediate steps:
- Automakers must audit their battery communication interfaces.
- Eliminate unsecured default settings, weak authentication, and unprotected over-the-air pathways.
- Collaborate directly with the Ministry of Road Transport and Highways (MoRTH), MeitY, and other stakeholders to establish stronger, more resilient cyber-safety design protocols at the factory level.
Looking ahead, MoRTH's draft notification proposes a phased implementation of new cyber security standards, set to begin on October 1, 2026. This initiative mandates that manufacturers begin developing systematic Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS) immediately. These systems will be crucial for securing over-the-air (OTA) updates, implementing robust user authentication, and validating software integrity across all EV platforms. The industry has also been instructed to promptly report any discovered vulnerabilities or related security information.