Remote EV Shutdowns Expose India’s Connected Device Security Gap
by Anjali Jain · Inc42SUMMARY
- The shutdowns point to a widespread reliance on generic third-party BMS software without adequate authentication or access controls
- The controversy also raises broader questions around data privacy as many BMS apps access and generate data such as GPS location, driver behaviour and vehicle usage patterns
- The same concerns extend to the broader IoT ecosystem, especially imported and white-labelled devices
- Added to Saved Stories in Login
Social media feeds over the past week have been flooded with videos of people accessing the battery management systems (BMS) of electric rickshaws and loaders to remotely disable the vehicles. While the videos may have amused the pranksters and viewers, they left drivers stranded, disrupted trips, and raised concerns about the security of connected EV systems.
At the centre of the controversy are the BMS that communicate through widely used mobile applications such as BAT BMS, Lossigy and Epoch Li-ion, with a few of these apps being of Chinese origin. These apps connect to the BMS over Bluetooth, allowing users to monitor battery health, charge levels, voltage, temperature, and discharge behaviour.
A BMS is an embedded controller inside a lithium-ion battery pack that monitors these parameters while also preventing overcharging and overheating.
However, experts say the BMS installed in budget EVs lack adequate authentication mechanisms or rely on default access settings. Consequently, anyone within the Bluetooth range – typically 10-15 metres – can connect to the BMS using the aforementioned apps. Depending on the BMS configuration, users can view battery data or issue commands to disable the battery’s output, making the vehicle inoperable.
In simple terms, the person is not “hacking” in the conventional sense. Instead, they are exploiting weak access controls in the BMS for unauthorised access to features that affect the vehicle’s operations.