Battery Management App Hacking of E-Rickshaws: A New Cybersecurity Frontier in India’s EV Transition

The Union Government has ordered the blocking of several battery management applications after discovering that malicious actors were remotely immobilising e-rickshaw batteries — even while vehicles were transporting passengers — by exploiting security vulnerabilities in apps developed largely by Chinese firms, including Shenzhen Grenergy Technology, Shenzhen Ruichuang Lineng Technology, and Daly BMS. In one documented case in Ujjain, an extortionist used this vulnerability to immobilise e-rickshaws and then demand ₹200 from the stranded driver to restart the vehicle, prompting a police investigation and the eventual government crackdown.

This incident is a striking case study in the unintended cybersecurity consequences of India’s rapid electric vehicle (EV) adoption, and it holds relevance for UPSC GS-III (Science and Technology, Cybersecurity, Effects of technology on daily life) as well as SSC General Awareness sections on digital governance and IT law.

💡 Get AI-powered exam prep on your phone!

Download ExamYaari App

Background and Context

Lithium-ion battery packs in electric three-wheelers include Battery Management Systems (BMS) that monitor charge, voltage, temperature, and cell health — legitimately designed for battery owners (often leasing companies) to monitor and manage fleets remotely. However, these apps can hijack and shut off battery units without requiring internet access, using only a smartphone-carried Bluetooth or similar short-range hijack, exploiting default or unchanged passwords or PINs.

Five Important Key Points

  • The Union Government ordered blocking of battery management apps after e-rickshaws were remotely shut down mid-transit in various parts of the country using apps developed largely by Chinese firms.
  • In Ujjain, an extortionist exploited the vulnerability to disable an e-rickshaw’s battery remotely and then demanded ₹200 from the stranded driver to restart the vehicle, a case that alerted police to the wider racket.
  • Testing standards used to certify e-rickshaws (L5M category vehicles) under the Automotive Industry Standard (AIS-189) do not currently mandate cybersecurity requirements, creating a significant regulatory gap.
  • The vulnerability does not require internet access to exploit — attackers can hijack and shut off battery units using only local wireless connections and unchanged default passwords or PINs.
  • Officials confirmed that stranding vehicles through such remote hijacking constitutes a punishable offence under IPC/BNS provisions on criminal mischief, and that provisions of the Information Technology Act, 2000 on anti-hacking may also apply.

Legal and Regulatory Framework

The Information Technology Act, 2000, particularly its anti-hacking provisions, provides a legal basis for prosecuting such offences, while the Bharatiya Nyaya Sanhita (BNS), 2023, which replaced the Indian Penal Code, covers criminal mischief and extortion offences applicable to this scenario. However, the absence of mandatory cybersecurity certification requirements under AIS-189 — the standard governing electrical and mechanical safety of e-rickshaws — represents a critical regulatory blind spot, since certification currently focuses on electrical and roadworthiness safety without addressing software-layer vulnerabilities.

Economic and Social Implications

E-rickshaws form a crucial low-cost, last-mile transport backbone for urban and semi-urban India, generating livelihoods for millions of low-income drivers. Remote battery hijacking not only threatens driver income and passenger safety — since vehicles could stall mid-transit in traffic — but also undermines public confidence in India’s broader EV transition, which the government has heavily promoted through schemes like FAME (Faster Adoption and Manufacturing of Electric Vehicles) and various state EV policies.

Governance and Institutional Response

The government’s response — ordering an app-blocking action — addresses the symptom but not necessarily the structural vulnerability, since banning specific apps does not eliminate the underlying exploitable weakness in devices already deployed. A more durable solution requires mandatory firmware-level security audits and updated certification standards administered by agencies like the International Centre for Automotive Technology (ICAT), which currently certifies electrical and mechanical safety but not cybersecurity resilience.

Comparative and Technological Context

This incident echoes global concerns about Internet-of-Things (IoT) device security, where connected consumer hardware — from smart locks to industrial control systems — has repeatedly been shown vulnerable to remote exploitation due to weak default authentication. India’s e-rickshaw ecosystem, given its scale (millions of units nationally) and its overlap with livelihoods of economically vulnerable groups, presents an unusually high-stakes version of this generic IoT security problem.

Implementation Challenges

Enforcing a ban on specific apps faces practical hurdles: drivers and lessors may lack awareness of safer alternatives; enforcement across a highly dispersed, informal e-rickshaw ecosystem is difficult; and updating certification standards to include cybersecurity requirements will require time-consuming amendments to AIS-189 and coordination between the Ministry of Road Transport and Highways, ICAT, and state transport departments.

Way Forward

India should mandate cybersecurity certification as part of AIS-189 revisions for all L5M category electric vehicles, require mandatory password reset protocols and two-factor authentication for battery management systems, and establish a rapid-response grievance mechanism for drivers facing remote extortion. Given the scale of India’s EV transition, a dedicated automotive cybersecurity framework — potentially under the Ministry of Electronics and Information Technology’s Computer Emergency Response Team (CERT-In) — merits consideration.

Relevance for UPSC and SSC Examinations

GS-III: Cybersecurity, IT Act 2000, EV policy, Science and Technology applications. Key Terms: Battery Management System (BMS), AIS-189, ICAT, IT Act 2000, Bharatiya Nyaya Sanhita, IoT security, FAME scheme.

Leave a Comment