Viral BAT-BMS App Misuse Raises EV Security Concerns Across India; TraceX Labs Releases Comprehensive BMS Advisory

A series of viral videos circulating on social media has brought the cybersecurity of India's electric vehicles into the spotlight after pranksters were allegedly seen using a Bluetooth-enabled mobile application to interfere with Battery Management Systems (BMS) installed in commercial e-rickshaws.

The videos, which have been widely shared across platforms such as X, Instagram, Facebook, and YouTube, appear to show individuals connecting to nearby battery systems through the BAT-BMS application and triggering commands that allegedly stop e-rickshaws while they are in operation. The incidents have sparked concern among drivers, fleet operators, battery manufacturers, cybersecurity researchers, and government authorities, raising broader questions about the security of wireless battery management technologies used in the country's rapidly growing electric mobility sector.

Viral Videos Trigger Public Concern

In several of the videos, pranksters are seen following moving e-rickshaws before scanning for nearby Bluetooth-enabled batteries using the BAT-BMS application. After connecting to what appears to be an unsecured Battery Management System, they activate a battery control function, following which the vehicle reportedly comes to a sudden halt.

Some videos show confused drivers attempting to restart their vehicles, while others depict drivers pushing their e-rickshaws after the battery reportedly stopped supplying power. In one widely circulated clip, members of the public confront a person allegedly using the application and accuse him of deliberately disrupting nearby vehicles.

The videos have attracted millions of views online and ignited discussions over whether inadequate Bluetooth security in certain Battery Management Systems could allow unauthorized access.

The Issue Is Not the App?It's Insecure BMS Configuration

Cybersecurity experts emphasize that the BAT-BMS application itself is a legitimate battery monitoring and diagnostic tool intended for use by battery manufacturers, service engineers, and authorized users.

The concern, researchers say, lies with Battery Management Systems that have been deployed without adequate Bluetooth security protections.

Where Bluetooth remains publicly discoverable, authentication is missing, or default passwords are left unchanged, nearby users may be able to establish a Bluetooth Low Energy (BLE) connection using compatible applications.

Experts also stress that the reported incidents do not represent internet-based hacking or malware attacks. The interaction occurs locally over Bluetooth and requires the attacker to be within wireless communication range of the battery system.

Furthermore, not every Battery Management System is affected. The risk depends entirely on the hardware manufacturer, firmware version, and security configuration implemented in each battery pack.

TraceX Labs Publishes Technical Security Advisory

Amid growing public concern, cybersecurity research organization TraceX Labs has released a comprehensive advisory titled:

"Unauthorized Over-the-Air Disruption of EV Battery Management Systems (BMS) via Unauthenticated Bluetooth Low Energy (BLE) Controls."

Prepared by the TraceX Labs IoT Security Research Team, the advisory provides an in-depth technical analysis of the reported issue and explains how weak Bluetooth implementations in certain Battery Management Systems could expose vehicles to unauthorized local access.

The report also outlines mitigation strategies for manufacturers, battery assemblers, fleet operators, regulators, charging infrastructure providers, service centers, and electric vehicle owners.

Security Weaknesses Identified

According to the advisory, vulnerable Battery Management Systems may contain security flaws such as:

  • No authentication before executing critical Bluetooth commands.
  • Factory-default Bluetooth credentials that remain unchanged after deployment.
  • Bluetooth interfaces left permanently discoverable.
  • Missing device whitelisting or access control mechanisms.
  • Battery control functions exposed without sufficient authorization checks.

If these weaknesses exist, an individual within Bluetooth range may be able to communicate with the Battery Management System using a compatible diagnostic application.

Possible Consequences

Battery Management Systems perform essential safety functions, including monitoring battery voltage, balancing cells, controlling charging and discharging, and protecting lithium-ion batteries from unsafe operating conditions.

TraceX Labs warns that unauthorized interaction with vulnerable systems could potentially lead to:

  • Unexpected interruption of battery discharge.
  • Sudden loss of vehicle power.
  • Increased road safety risks.
  • Service disruptions for commercial e-rickshaw operators.
  • Financial losses due to operational downtime.
  • Reduced confidence in connected electric vehicle technologies.

The advisory notes that India's rapidly expanding electric mobility market, together with the increasing use of affordable Bluetooth-enabled battery systems, makes cybersecurity an important consideration throughout the EV supply chain.

Immediate Mitigation Measures

To reduce potential exposure, TraceX Labs recommends that manufacturers, battery suppliers, fleet operators, and vehicle owners immediately review the security settings of Bluetooth-enabled Battery Management Systems.

Key recommendations include:

  • Replace default Bluetooth passwords with strong, unique credentials.
  • Disable Bluetooth broadcasting when wireless monitoring is not required.
  • Restrict pairing to trusted and authorized devices.
  • Install manufacturer-issued firmware updates whenever available.
  • Conduct periodic security assessments of deployed Battery Management Systems.
  • Temporarily disconnect external Bluetooth modules where secure configuration is not supported.

The advisory also notes that any hardware modifications should only be performed by trained professionals following appropriate electrical safety procedures.

Building More Secure Battery Systems

Beyond immediate mitigation, TraceX Labs encourages manufacturers to adopt secure-by-design principles in future Battery Management Systems.

These recommendations include encrypted Bluetooth communication, mandatory authentication for critical operations, secure pairing procedures, Bluetooth disabled by default, secure first-time device initialization, regular security testing, and coordinated vulnerability disclosure programs.

The advisory further recommends strengthening cybersecurity requirements for connected battery systems through industry standards and regulatory frameworks to better protect India's evolving electric vehicle ecosystem.

A Wake-Up Call for Connected Electric Mobility

The recent viral videos have highlighted how weak wireless security configurations can be exploited when proper safeguards are absent. While the BAT-BMS application is designed for legitimate battery management and diagnostics, its alleged misuse against improperly secured Battery Management Systems underscores the need for stronger cybersecurity practices across the electric vehicle industry.

Through its latest advisory, TraceX Labs aims to help manufacturers, regulators, service providers, fleet operators, and vehicle owners understand these risks and implement practical measures to secure Battery Management Systems as connected electric mobility continues to expand across India.