Remote EV Shutdowns Expose India’s Connected Device Security Gap

Remote EV Shutdowns Expose India’s Connected Device Security Gap
Remote EV Shutdowns Expose India's Connected Device Security Gap

Social media feeds over the past week have been flooded with videos of people accessing the battery management systems (BMS) of electric rickshaws and loaders to remotely disable the vehicles. While the videos may have amused the pranksters and viewers, they left drivers stranded, disrupted trips, and raised concerns about the security of connected EV systems.

At the centre of the controversy are the BMS that communicate through widely used mobile applications such as BAT BMS, Lossigy and Epoch Li-ion, with a few of these apps being of Chinese origin. These apps connect to the BMS over Bluetooth, allowing users to monitor battery health, charge levels, voltage, temperature, and discharge behaviour.

A BMS is an embedded controller inside a lithium-ion battery pack that monitors these parameters while also preventing overcharging and overheating.

However, experts say the BMS installed in budget EVs lack adequate authentication mechanisms or rely on default access settings. Consequently, anyone within the Bluetooth range – typically 10-15 metres – can connect to the BMS using the aforementioned apps. Depending on the BMS configuration, users can view battery data or issue commands to disable the battery’s output, making the vehicle inoperable.

In simple terms, the person is not “hacking” in the conventional sense. Instead, they are exploiting weak access controls in the BMS for unauthorised access to features that affect the vehicle’s operations.

Remote EV Shutdowns Expose India's Connected Device Security Gap

Experts say the episode exposes not only a cybersecurity weakness but also India’s dependence on opaque firmware embedded in imported hardware.

“The vulnerability isn’t in the app itself, which is a legitimate diagnostic tool; it’s in how battery vendors skipped access control on the BMS firmware,” said Ankush Tiwari, founder and CEO of cybersecurity intelligence provider pi-labs.

Budget EV OEMs Overlook Access Controls

Cybersecurity experts Inc42 spoke to said the primary responsibility for securing access to the BMS rests with original equipment makers (OEMs) and battery suppliers.

Inc42 independently verified some of the OEMs whose vehicles could be controlled using the apps, including Yatri, Mayuri, Vande Bharat and City Life. Drivers using these vehicles said they relied on the BAT BMS app to monitor battery health.

Queries sent to these OEMs didn’t receive a response till the time of publication.

Notably, drivers across multiple brands were using the same application. Drivers of five-wheeler electric loaders also reported similar incidents, suggesting the issue extends beyond e-rickshaws. Experts say this points to a widespread reliance on generic third-party BMS software without adequate authentication or access controls.

The issue becomes more concerning in light of a GitHub post published several years ago that highlighted the weak authentication of some of these BMS apps and demonstrated how some of those protections could be bypassed.

“It is clear that these manufacturers didn’t do any due diligence before importing these batteries or distributing the app. Many of these components are easily available on platforms like Alibaba, where several OEMs source from. This is a road safety issue, and banning the apps is not the solution,” said cybersecurity analyst and ethical hacker Karan Saini.

Notably, the government directed Google and Apple yesterday to take down at least seven such apps following a furore over their misuse to make e-rickshaws inoperable.

Criticising the government’s move, Saini said it could worsen the situation by preventing legitimate users (drivers) from monitoring battery health or regaining control of their vehicles if another device disabled their BMS.

While MeitY has launched an investigation, experts believe the issue goes far beyond a handful of mobile apps.

“The stronger case is for a certification/security-standard requirement for BMS units sold in the Indian EV market, similar to how telecom equipment requires type approval, rather than only chasing individual bad actors,” Tiwari said.

IDfy principal product manager Nikhil Jhanji said the vulnerability is not limited to specific manufacturers. Any OEM using insecure BMS components, imported battery packs, weak Bluetooth pairing, default credentials, or poorly designed apps could be exposed.

That said, experts highlighted that the issue does not exist across India’s entire EV ecosystem. The risk primarily exists where BMS allows open Bluetooth discovery and control through a generic companion app. Secure pairing, authentication and restrictions on key commands significantly reduce the risk.

Nevertheless, the episode has also exposed gaps in India’s vehicle cybersecurity framework. While the country has introduced AIS-189, which mandates a certified Cybersecurity Management System for new vehicle models from October 2025, experts say the framework primarily places responsibility on OEMs. This raises questions on oversight of third-party hardware and embedded software supplied through the broader component ecosystem, particularly as many of these components are imported.

Where Does The Data Go?

The controversy also raises broader questions around data privacy. Beyond battery health, many BMS apps access and generate data such as GPS location, driver behaviour, vehicle usage patterns, and operational logs. However, in many cases it is not clear where this data is stored, who can access it and how it is used.

“Battery health monitoring may sound purely technical, but combined with GPS and user identifiers, it can reveal where a person works, how long they operate, where they travel, their income patterns, and their daily routine. That places it squarely in the realm of data protection,” Jhanji said.

Under the Digital Personal Data Protection (DPDP) Act, organisations processing digital personal data are required to have security safeguards, consent mechanisms and grievance redressal processes in place.

“Enforcement in the budget EV battery vendor space is largely untested. If the same unsecured architecture that allows power cut-off also transmits location data insecurely, you have a second risk: driver movement patterns could be accessed or misused by anyone who can access the same app layer,” Tiwari said.

For connected mobility platforms, privacy experts say applications should clearly disclose what data they collect, why it is collected, who it is shared with, how long it is retained and whether any remote-control functionality exists. However, when the ownership and back-end infrastructure of these applications remain opaque, tracing where the data ultimately flows becomes significantly more difficult.

Remote EV Shutdowns Expose India's Connected Device Security Gap

“India’s EV ecosystem cannot scale on hardware alone. It needs privacy, cybersecurity, and vendor governance built into the design of connected vehicles from the start,” said IDfy’s Jhanji.

Experts say the industry also needs strong governance measures, including role-based access control for OEMs, dealers, service staff and fleet operators; limits on retaining location and usage data; stricter due diligence of BMS and software vendors; incident response mechanism; and the ability for authorised users to revoke or reset access credentials. However, this is a challenge in India’s largely unorganised e-rickshaw segment, with an estimated 20 Lakh e-rickshaws on the road, only about half of which are registered.

“OEMs should be held accountable for exposing drivers and passengers to these vulnerabilities. Regulations for critical vehicle components and proper licensing of these vehicles are long overdue. We can no longer keep importing parts and welding them together without a robust governance framework,” Saini said.

How Smart Are Our Devices?

Beyond road safety, these incidents also raise broader questions about the security of connected devices and the software that power them.

“This is a much larger connected-device governance and supply-chain security problem. Any vehicle, battery system, IoT (Internet of Things) device, or companion app that allows remote monitoring or control without strong authentication, access controls, audit logs, and vendor accountability can become both a cybersecurity and a public safety risk,” said Jhanji

Experts argue that the conversations should not be limited to battery-operated vehicles. The same concerns extend to the broader IoT ecosystem, especially imported and white-labelled devices. From smart lights and door locks to connected home appliances, many such products rely on mobile apps with opaque ownership, limited transparency, and weak access controls.

While vendors bear the primary responsibility for securing these devices, users also have a role to play by understanding the products they bring into their homes.

“Indians don’t take their personal data protection seriously until a breach or fraud happens, and then the most convenient response is to point fingers,” a cybersecurity expert, who requested anonymity, said.

The weakest link is no longer the hardware itself but the software layer connecting users, device and component vendors. As connected ecosystems become more complex, the security of a device often depends on its least secure third-party component.

“I hope this doesn’t fizzle out with a blanket ban. Instead, it should become a broader discussion around the need for sovereign hardware, software, manufacturing abilities, as well as the risks of relying on IoT devices that are powered by applications we don’t control,” the cybersecurity expert added.

While basic security measures such as secure pairing, unique device-level credentials, encrypted communication, and comprehensive audit logs can significantly reduce the risks, experts argue that technical safeguards are no longer sufficient.

Organisations must also understand where firmware updates originate, where device data is stored and who ultimately controls the underlying hardware and software, making transparency across the connected-device supply chain just as important as cybersecurity.

The post Remote EV Shutdowns Expose India’s Connected Device Security Gap appeared first on Inc42 Media.