LOADING

Type to search

The E-rickshaw “Prank” That Wasn’t Really A Hack

Auto News

The E-rickshaw “Prank” That Wasn’t Really A Hack

Share

Over the past week, a strange thing has been happening on Indian roads. E-rickshaw drivers — mid-trip, mid-traffic, sometimes with passengers still aboard — have watched their vehicles simply die. No warning, no mechanical fault. Someone standing on a nearby footpath taps their phone, and the rickshaw goes dead.

The tool behind it has a name that sounds far more sinister than it deserves: BAT-BMS. And the uncomfortable truth is that it isn’t a hacking tool at all. It’s a battery diagnostics app, built by a Chinese company called Shenzhen Grenergy Technology, meant to do exactly the kind of boring, useful job apps like this are supposed to do — let a mechanic or fleet owner check a battery’s voltage, temperature, and charge level over Bluetooth.

The problem was never the app. It was what the app was allowed to talk to.

A Feature Doing Exactly What It Was Built to Do
Battery Management Systems, or BMS units, are the small onboard computers that sit inside a lithium-ion pack and keep it from overheating, overcharging, or discharging unsafely. A legitimate technician needs a way to reach into that system remotely — to check its health, or to shut off charging and discharging while doing maintenance. That’s what BAT-BMS was built for, and on a properly configured battery, it does that job fine.

The trouble is that “properly configured” turned out to be doing a lot of heavy lifting. Many of the cheap, unbranded battery packs going into budget e-rickshaws ship with Bluetooth switched on and no password set — or a default PIN so obvious it barely counts as one. Bluetooth doesn’t ask who you are before it starts broadcasting; it just sits there, quietly announcing itself to anything with a receiver within about fifteen metres. So anyone standing at a bus stop with the app open can scan for a nearby signal, connect to it without so much as a login screen, and flip a toggle meant for a mechanic’s workbench. Flip it, and the flow of current from the battery to the motor simply stops. In the middle of moving traffic.

That’s the entire “hack.” No code was broken. Nobody exploited a bug in the traditional sense. What actually failed was a manufacturing decision made months or years before any of these videos existed — a decision to skip a password screen to save a few seconds of setup at the factory.

Why Some Rickshaws Are Immune and Others Aren’t
This isn’t a threat to every electric vehicle on the road, and that detail matters, because it tells you exactly where the weakness lives. Vehicles running older lead-acid batteries have no Bluetooth radio to exploit — they’re simply outside the blast radius of this entire problem. And the bigger, established EV and battery manufacturers generally build their own companion apps with proper authentication, encrypted pairing, and manufacturer-locked access, which keeps a generic third-party app like BAT-BMS out entirely.

What’s left in the danger zone is the lower end of the market — the imported, low-cost battery packs that budget e-rickshaws are often fitted with, where price competition seems to have squeezed out the one feature that would have prevented all of this: a password.

A Joke With Someone Else’s Rent on the Line
It’s worth sitting with who actually gets hurt by this. E-rickshaw drivers in Indian cities often work on thin, day-to-day margins — losing an afternoon to a dead battery isn’t an inconvenience, it’s a chunk of that day’s income gone, sometimes with a repair bill on top of it. Several drivers have described paying someone just to get their vehicle moving again, for a fault that had nothing mechanically wrong with it at all. Watch enough of the videos circulating online and the tone shifts fast, from mischievous to genuinely upsetting — drivers in tears, passengers stranded roadside, traffic backing up behind a vehicle that, moments earlier, was working perfectly.

What the Government Actually Did About It
Once the videos escalated from a handful of clips to a nationwide talking point, the Ministry of Electronics and Information Technology stepped in and had BAT-BMS, along with a couple of similar apps, pulled from both the Play Store and the App Store. Cyber law experts have also pointed out that deliberately disabling someone’s vehicle without consent isn’t just bad manners — it falls under India’s IT Act, and in principle carries real criminal exposure, up to three years in prison and a fine reaching Rs 5 lakh.

But here’s the part that’s easy to miss in the relief of an app getting banned: removing BAT-BMS from the store doesn’t touch the actual vulnerability. The battery packs are still out there, still broadcasting an unsecured Bluetooth signal, still perfectly happy to pair with any app built to speak the same protocol. Ban one app and, in principle, a slightly less well-known one can do the same job tomorrow. The fix that actually matters is happening at the level of the individual vehicle — drivers being told to open their battery’s companion app one last time and set an actual password, or hold down the physical reset button on the pack to kill any active Bluetooth pairing.

The Real Lesson Here
Strip away the viral-video framing and what’s left is a fairly ordinary story about what happens when connectivity gets added to a product faster than security does. Nobody set out to build a weapon. A battery manufacturer just made the same trade-off that shows up across cheap consumer electronics everywhere — ship it fast, skip the password screen, assume nobody malicious will ever find the gap. It took a smartphone app and a handful of people bored enough to go looking for the gap to prove that assumption wrong, at the expense of some of the lowest-margin workers in the entire transport system.

As more of what we drive gets a Bluetooth radio bolted onto it, that’s the part worth remembering: a password isn’t a nice-to-have feature on a battery. On a vehicle carrying a person through traffic, it’s closer to a seatbelt.

Leave a Comment

Your email address will not be published. Required fields are marked *