BAT BMS Raise EV Security Concerns in India; TraceX Labs Releases Comprehensive BMS Security Advisory and Mitigation Guidance

A series of viral videos circulating on social media has triggered widespread concern regarding the cybersecurity of Battery Management Systems (BMS) used in Indias electric vehicles, particularly commercial e-rickshaws. The videos reportedly show individuals using Bluetooth-enabled mobile applications to connect to nearby battery systems, allegedly causing vehicles to stop unexpectedly.

The incidents have sparked discussion among drivers, fleet operators, battery manufacturers, cybersecurity researchers, and regulatory stakeholders, highlighting the increasing importance of securing connected battery technologies as Indias electric mobility sector expands rapidly.

Bluetooth-based exposure, not remote hacking

According to multiple reports, the issue appears to be linked to certain Bluetooth-enabled BMS implementations that may have been deployed with weak or misconfigured security settings. In some cases, Bluetooth interfaces may remain discoverable, use factory-default credentials, or lack proper authentication controls.

Security experts emphasize that this is not a malware-based or internet-driven remote cyberattack, but rather a local Bluetooth Low Energy (BLE) interaction issue. Any potential impact depends heavily on the specific hardware design, firmware configuration, and security implementation of the BMS,meaning not all EVs or battery systems are affected.

TraceX Labs issues technical advisory

In response to growing concerns, TraceX Labs has released a detailed cybersecurity advisory titled:

Unauthorized Over-the-Air Disruption of EV Battery Management Systems (BMS) via Unauthenticated Bluetooth Low Energy (BLE) Controls.

The report, prepared by the TraceX Labs IoT Security Research Team, provides a technical breakdown of the issue, analyzes Bluetooth-related vulnerabilities, and evaluates potential risks to Indias electric vehicle ecosystem. It also outlines mitigation strategies for manufacturers, fleet operators, service technicians, regulators, and vehicle owners.

Key security weaknesses identified

The advisory highlights several potential misconfigurations that could expose BMS units to unauthorized access, including:

  • Lack of authentication for critical Bluetooth functions
  • Factory-default or publicly known PINs
  • Unrestricted write access to battery control interfaces
  • Absence of device whitelisting or access control lists
  • Bluetooth modules remaining permanently discoverable after deployment

If present, these weaknesses could allow nearby devices running compatible diagnostic tools to interact with battery systems without authorization.

Potential impact on EV operations

Battery Management Systems play a crucial role in monitoring battery health, balancing cells, and ensuring safe charging and discharging cycles. According to the report, insecure configurations could potentially lead to operational disruptions, including:

  • Sudden vehicle shutdowns during operation
  • Safety risks for drivers and passengers
  • Downtime for commercial fleets
  • Financial losses for operators
  • Reduced trust in connected EV systems

The advisory also notes that Indias fast-growing e-rickshaw ecosystem, combined with low-cost imported BMS hardware, increases the importance of robust cybersecurity practices across the supply chain.

Recommended immediate mitigation steps

TraceX Labs recommends that stakeholders take immediate steps to reduce exposure, including:

  • Replacing default Bluetooth credentials with strong unique passwords
  • Disabling Bluetooth advertising when not required
  • Restricting pairing to authorized devices only
  • Applying available firmware updates from manufacturers
  • Temporarily disconnecting external Bluetooth modules where secure controls are unavailable
  • Conducting regular security audits of deployed systems

In cases where firmware limitations prevent secure configuration, the report suggests a temporary hardware-level mitigation involving disconnection of Bluetooth modules, to be performed only by qualified technicians under proper safety procedures.

Long-term security recommendations

Beyond immediate fixes, the advisory urges manufacturers to adopt secure-by-design principles, including:

  • Cryptographic authentication for Bluetooth communication
  • Encrypted BLE data exchange
  • Secure pairing protocols
  • Mandatory secure initialization during first setup
  • Disabling wireless interfaces by default until properly configured

It also recommends that regulators strengthen cybersecurity requirements for EV systems, including mandatory wireless security testing and structured vulnerability disclosure frameworks.

Full report available

The complete technical advisory includes detailed sections on threat modeling, attack surface analysis, EV ecosystem risk assessment, mitigation procedures, and policy recommendations.

The full document is available here:
TraceX Labs BMS Security Advisory

As electric vehicles become increasingly connected, cybersecurity is emerging as a core safety requirement. The report underscores the need for stronger security controls in Bluetooth-enabled Battery Management Systems to ensure reliability and trust in Indias rapidly evolving electric mobility sector.