Viral BAT-BMS Videos Spark EV Security Concerns Across India; TraceX Labs Publishes Comprehensive BMS Security Advisory

A series of viral videos circulating across social media has brought renewed attention to the cybersecurity of Battery Management Systems (BMS) used in India's electric vehicles, particularly commercial e-rickshaws. The videos, which have gained widespread traction online, appear to show individuals using Bluetooth-enabled mobile applications to interact with nearby battery systems, raising concerns among drivers, fleet operators, manufacturers, and regulators.

The incident has fueled discussions about the security of Bluetooth-enabled Battery Management Systems deployed in thousands of electric vehicles across the country and highlights the growing importance of cybersecurity in India's rapidly expanding EV ecosystem.

According to multiple news reports, some commercially available Battery Management Systems may expose Bluetooth Low Energy (BLE) interfaces without adequate authentication or continue using factory-default credentials. In such configurations, an individual within Bluetooth range may be able to establish a connection with the battery using compatible diagnostic applications if the device has not been securely configured.

The issue is not related to malware or remote internet hacking. Instead, it involves local Bluetooth communication between a smartphone and a Battery Management System that lacks sufficient access controls. Where appropriate security mechanisms are absent, unauthorized users may be able to access diagnostic or maintenance functions that should normally be restricted to the battery owner or authorized service personnel.

TraceX Labs Releases Technical Security Advisory

In response to the growing public concern, TraceX Labs has published a detailed cybersecurity advisory titled:

"Unauthorized Over-the-Air Disruption of EV Battery Management Systems (BMS) via Unauthenticated Bluetooth Low Energy (BLE) Controls."

The advisory provides a technical assessment of the issue, examines the underlying security architecture of Bluetooth-enabled Battery Management Systems, and offers practical mitigation guidance for manufacturers, battery assemblers, fleet operators, service technicians, regulators, and electric vehicle owners.

According to the advisory, the observed issue is primarily the result of insecure Bluetooth implementations rather than sophisticated cyberattacks. TraceX Labs explains that certain Battery Management Systems may be deployed with security weaknesses including:

  • Missing authentication for critical Bluetooth operations.
  • Factory-default or publicly documented Bluetooth PINs.
  • Unrestricted access to sensitive battery control functions.
  • Lack of device whitelisting or access control mechanisms.
  • Bluetooth interfaces that remain publicly discoverable after deployment.

When these conditions exist simultaneously, a nearby Bluetooth-enabled device may be able to communicate with the Battery Management System if it is compatible with the exposed protocol.

Understanding the Security Risk

Battery Management Systems are responsible for monitoring and protecting lithium-ion battery packs by managing functions such as voltage balancing, temperature monitoring, charging protection, and discharge control.

The TraceX Labs advisory notes that if unauthorized users are able to issue battery control commands on vulnerable systems, the consequences may extend beyond simple inconvenience. Potential risks include:

  • Unexpected interruption of vehicle propulsion.
  • Increased road safety risks for drivers and passengers.
  • Operational disruptions for commercial fleet operators.
  • Financial losses due to service interruptions.
  • Reduced public confidence in electric mobility infrastructure.

The advisory emphasizes that these risks depend on the security configuration of the individual Battery Management System and should not be interpreted as affecting every electric vehicle or every battery on the market.

Immediate Mitigation Recommendations

To reduce potential exposure, TraceX Labs recommends that manufacturers and operators immediately review the security configuration of Bluetooth-enabled Battery Management Systems.

Key recommendations include:

  • Replace factory-default Bluetooth passwords with strong, unique credentials.
  • Disable Bluetooth advertising when wireless monitoring is not required.
  • Restrict Bluetooth pairing to authorized devices only.
  • Install firmware updates released by manufacturers.
  • Remove or disconnect external Bluetooth modules where secure configuration is not available and wireless functionality is unnecessary.
  • Conduct security audits of deployed Battery Management Systems.

For organizations responsible for manufacturing or integrating Battery Management Systems, the advisory recommends implementing authentication, encrypted communications, secure pairing procedures, and secure-by-default configurations in future product releases.

Broader Industry Implications

India's electric mobility sector has experienced rapid growth in recent years, with millions of electric two-wheelers, three-wheelers, and commercial fleet vehicles entering service. As connected technologies become increasingly common within battery systems, cybersecurity is emerging as a critical component of overall vehicle safety.

The TraceX Labs advisory encourages manufacturers, battery assemblers, regulators, and fleet operators to incorporate cybersecurity requirements into future product development, deployment, and compliance processes.

Comprehensive Technical Report Available

The full TraceX Labs advisory includes:

  • Executive Summary
  • Technical Threat Analysis
  • Battery Management System Architecture Overview
  • Bluetooth Attack Methodology
  • Real-World Risk Assessment
  • Immediate Mitigation Guidance
  • Temporary Hardware Protection Measures
  • Software Security Configuration Recommendations
  • Manufacturer Security Requirements
  • Regulatory Policy Recommendations
  • Supply Chain Risk Assessment
  • Long-Term Security Framework

As India's EV ecosystem continues to expand, experts believe that strengthening the cybersecurity of connected battery technologies will be essential to ensuring the long-term safety, reliability, and resilience of electric mobility infrastructure.

TraceX Labs Report :https://tracexlabs.com/reports/bms-security-advisory-immediate-mitigation-for-ev-vehicles.html