NEWS
How the BAT-BMS App Lets Strangers Switch Off E-Rickshaws
BAT-BMS, a Chinese battery monitoring app by Shenzhen Grenergy, is being misused to disable Delhi e-rickshaws via Bluetooth. MeitY is reviewing a Section 69A IT Act block.
A little-known smartphone app called BAT-BMS has become the center of a viral Bluetooth scare across India, with videos showing strangers using the app to switch off moving e-rickshaws in mid-traffic. The app, made by China’s Shenzhen Grenergy Technology, was built to let battery owners monitor voltage, temperature and charge cycles on Bluetooth-enabled lithium packs. Some users have turned its discharge toggle into a remote kill switch.
The controversy has now reached Delhi’s Transport Department and India’s IT Ministry. MeitY is reviewing whether BAT-BMS can be blocked under Section 69A of the Information Technology Act, officials told Moneycontrol. Delhi Transport Minister Pankaj Singh has ordered a separate inquiry, and cyber law experts say anyone using the app to disable a moving vehicle could already face prosecution under Sections 43 and 66 of the same Act. Drivers caught in between say each prank costs them a day’s wages.
The BAT-BMS Battery Monitoring App
BAT-BMS is a free utility from Shenzhen Grenergy Technology Co., Ltd., listed on both Apple’s App Store and Google Play. Its product page describes it as suitable only for “Smart Bluetooth lithium battery” systems, with a Bluetooth Low Energy (BLE) connection and an operating distance of no more than 15 metres. The app pairs with any compatible battery pack nearby and surfaces the readings the battery’s onboard management chip already keeps track of. The full BAT-BMS listing is visible on the BAT-BMS listing on Google Play.
It also exposes a control the user is supposed to manage directly, a toggle that can switch the battery’s discharge function on or off. What reads as a convenience for a solar installer or off-grid hobbyist checking a bank of lithium cells from across a yard becomes a kill switch in the hands of a stranger standing near a parked e-rickshaw. The 15-metre range, the feature list and the developer attribution all come straight from the developer’s own App Store description, which lists the seller as Shenzhen Grenergy Technology Co., Ltd. and the app size as 9.1 MB.
| Feature | What it does |
|---|---|
| Bluetooth pairing | Connects to any compatible lithium battery within 15 metres |
| State of charge | Shows remaining capacity |
| Voltage and current | Live readings for charge and discharge |
| Temperature | Per-cell thermal monitoring |
| Cycle life | Tracks total charge cycles |
| Discharge toggle | Switches the battery’s discharge function on or off |

How the Bluetooth Trick Works
The exploit is not a hack in the traditional sense. The app is doing exactly what its developer designed it to do: pair with a compatible battery and write a discharge-off command. The security failure lives on the battery side, not in the app, which is why every report so far points at the hardware supply chain rather than at BAT-BMS itself.
Most low-cost lithium battery packs sold for Indian e-rickshaws use Chinese battery management system (BMS) chips that ship without authentication by default. Dealers frequently hand the vehicle over without ever configuring a password. The pack then broadcasts its presence over Bluetooth, and any compatible app, BAT-BMS included, can pair with it on demand. Once paired, the app exposes a master “discharge” switch that, when flipped, cuts power to the e-rickshaw’s motor.
What the short viral clips miss is how hit-and-miss the act really is. India Today notes that catching a moving rickshaw on Bluetooth requires the attacker to be close, stationary and lucky enough to find an unsecured and compatible battery. Drivers stopped at lights or in slow traffic are the easiest targets. Drivers moving at speed in dense traffic usually outpace the connection.
- Open BAT-BMS within roughly 15 metres of a parked or slow-moving e-rickshaw whose BMS has no password set.
- Select the exposed battery from the Bluetooth scan list.
- Toggle the discharge function switch inside the app.
- The motor loses power, the dashboard goes dark, and the driver is stranded until someone toggles the battery back on.
Who Is and Isn’t at Risk
The viral clips make it look as though any e-rickshaw on the road can be stopped at will. That is not what is happening. The vulnerability sits in a specific intersection of conditions: a lithium battery, a Bluetooth-enabled BMS, and no password set. Without all three, BAT-BMS has nothing to talk to.
Lead-acid battery e-rickshaws, still a sizeable share of the Indian fleet, have no Bluetooth at all and are completely unaffected. Many lithium-battery e-rickshaws use proprietary battery management software that talks only to the manufacturer’s own app. Those are also unaffected. The vulnerable pool is narrower than the viral clips suggest, but it is still large, made up of budget lithium packs imported with default-open Chinese BMS firmware.
Mukesh Gupta, founder of MaxVolt Energy, told The Lallantop that commercial fleet operators do use telematics-linked BMS units, but those are designed to be controlled only by the operator. The exposure shown in the videos, Gupta said, is not a feature a battery company would ship on purpose. E-rickshaws running factory-secured or proprietary major-brand systems are confirmed safe from interference, India Today reports.
| Setup | Can BAT-BMS switch it off? | Why |
|---|---|---|
| Bluetooth lithium BMS, no password | Yes | Default-open pairing accepts any compatible app |
| Bluetooth lithium BMS, password set | No | Authentication blocks unauthorised pairing |
| Proprietary BMS (manufacturer app only) | No | Incompatible with BAT-BMS |
| Lead-acid battery | No | No Bluetooth hardware at all |
One Driver’s Lost Day in Delhi
The prank is not abstract for the drivers caught in it. Social media influencer Amaan Siddiqui told ANI he came across a stranded driver towing his dead e-rickshaw with another vehicle on a Delhi road and suspected the app was responsible.
“I brought my vehicle behind it and tried connecting my app to the rickshaw,” Siddiqui said in an interview carried by ANI on 3 July 2026. “Once it connected, I asked him to stop and told him that his rickshaw would now restart.” The driver, who had rented the vehicle, told Siddiqui he had spent the whole day trying to get it moving again. Losses came to roughly ₹400 to ₹500 for the day, ANI reported.
Drivers have also been paying bystanders and mechanics out of pocket to “fix” vehicles that have nothing mechanically wrong. The dashboard clears the moment the battery parameters are toggled back on through the app. Some drivers, unaware of the Bluetooth angle, spent hours stuck in traffic before the issue resolved itself or before another user toggled their battery back on remotely.
Siddiqui, in the same ANI interview, said the encounter left him shaken. “He broke down and told me that he had lost an entire day of earning. He had taken the rickshaw on rent. I got emotional too. His rickshaw had been at the same spot for an entire day. What is being done by people is wrong,” Siddiqui told ANI.
The Government’s Response
India’s IT Ministry has now stepped in. MeitY is examining whether BAT-BMS can be blocked, with officials assessing action under Section 69A of the IT Act, the provision that lets the government restrict public access to online content in specified cases. Delhi’s Transport Department has separately launched an inquiry covering both BAT-BMS and a second app called Epoch Li-ion, ANI reported on 3 July 2026.
Delhi Transport Minister Pankaj Singh told reporters the department has been directed to verify the issue and examine the app, and that police action is also expected. BAT-BMS has already been pulled from Apple’s App Store following the coverage, though it remains available on Google Play. The Indian Express, citing department sources, said officials are weighing whether restrictions on unsecured battery management systems should be put in place for safety.
Cyber law expert Pawan Duggal has framed the legal exposure in plainer terms. Unauthorized access to a vehicle’s battery management system can already be prosecuted under Sections 43 and 66 of the IT Act, ANI reported, with penalties of up to three years in prison and a ₹5 lakh fine. His wider point was that an e-rickshaw now sits inside the same legal framework as any other connected device.
Today an e-rickshaw is not just an e-rickshaw; it is a computer system. This is not a game. Entering into the computer system of an e-rickshaw without the consent or knowledge of the owner is punishable with imprisonment and fine.
Pawan Duggal, cyber law expert, speaking to ANI on 3 July 2026.
- 15 metres: Bluetooth operating range per the BAT-BMS App Store listing
- 100,000+: downloads reported on Google Play via AppBrain
- 9.1 MB: app size on the Apple App Store
- ₹400 to ₹500: estimated daily loss reported by the driver in Siddiqui’s encounter
- Up to 3 years prison, ₹5 lakh fine: maximum penalty under IT Act Sections 43 and 66
The Bigger Gap in Connected Battery Hardware
The BAT-BMS episode has drawn cybersecurity specialists into a wider argument about how India’s electric mobility stack is being assembled. Anurag Singh, CEO of RAH Infotech, told Business Standard that the real concern is not the app itself but a pattern of safety-critical vehicle systems going online without proper security review. “When something as critical as a Battery Management System can be accessed through Bluetooth without strong authentication or secure pairing, the concern is not the app alone,” Singh said.
Kunal Bhogal, COO of IIRIS Consulting, made the same point more sharply for the same outlet: “Every unsecured node becomes an attack surface where a digital flaw turns into a physical safety threat on public roads. Without mandated security-by-design and manufacturer accountability, cheap connected hardware will keep scaling these risks across India’s mobility ecosystem.” The pattern echoes how Chinese-origin NFC fraud rings scaled across borders through similarly default-open infrastructure. The fix most often proposed is straightforward: dealers should configure a password before the vehicle leaves the lot, and India’s vehicle registration rules could require it the way telematics standards were mandated for electric vehicles from March 2023. The economics of the fix are cheap. The political will to enforce it is the harder question.
Frequently Asked Questions
What is the BAT-BMS app and who makes it?
BAT-BMS is a free battery management app developed by Shenzhen Grenergy Technology Co., Ltd., a Chinese hardware company. It is designed to let owners monitor Bluetooth-enabled lithium battery packs and toggle the discharge function from a phone within roughly 15 metres, according to the app’s own Google Play and Apple App Store listings.
Is it illegal to use BAT-BMS to disable an e-rickshaw?
Cyber law expert Pawan Duggal has said unauthorised access to an e-rickshaw’s battery management system can already attract prosecution under Sections 43 and 66 of the IT Act, with penalties of up to three years in prison and a ₹5 lakh fine. MeitY is separately examining whether the app itself can be blocked under Section 69A of the IT Act, officials told Moneycontrol.
Which e-rickshaws are actually at risk?
Only e-rickshaws fitted with Bluetooth-enabled lithium battery packs whose BMS has been left without a password. Lead-acid battery e-rickshaws have no Bluetooth at all. E-rickshaws using proprietary battery management software are also unaffected because they do not work with BAT-BMS, according to Digit.in.
What should battery owners and drivers do?
Set a strong Bluetooth pairing password on the BMS at the point of sale, or ask the dealer to do it. Digit.in reports that most of the affected vehicles left the lot with no password configured in the first place. Owners who can already see the battery through a phone app should check the settings and turn on authentication before driving in traffic.
Can the Indian government block BAT-BMS?
MeitY is reviewing whether to block the app under Section 69A of the IT Act, which lets the government restrict public access to online content in specified cases, according to Moneycontrol reporting. The app has already been pulled from Apple’s App Store following the viral coverage. It remains available on Google Play as of 3 July 2026.
-
NEWS4 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING3 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI2 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
APPS3 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI1 week agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
AI2 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
