BAT-BMS issue explained: How an app exposes new cyber-physical security gap
India's BAT-BMS controversy is about more than app takedowns. It shows how connected battery systems can turn digital vulnerabilities into real-world safety risks that extend beyond electric vehicles
)
BAT-BMS like apps expose new cyber-physical security gap for EV batteries
Listen to This Article
The Ministry of Electronics and Information Technology has directed Apple and Google to remove battery-management applications, including BAT-BMS, Lossigy, and Epoch Li-ion, from the App Store and Play Store, respectively. This action came soon after reports emerged that highlighted how those applications were being misused to remotely disable the batteries of e-rickshaws.
At first glance, the move may appear to be another app takedown, but the episode has exposed something far more significant: the growing security risks that emerge when connected hardware controlling real-world machines is built without adequate safeguards. This incident has also given India what may be its first widely visible example of a cyber-physical security problem in the electric mobility ecosystem.
Unlike conventional cybersecurity incidents, where the impact is largely limited to data or digital systems, cyber-physical incidents have real-world consequences. In this case, a smartphone application was allegedly able to stop an electric vehicle from moving by interacting with its battery system.
To understand how that became possible, it is important to first understand the technology at the centre of the controversy: the Battery Management System, or BMS.
Also Read
The battery’s brain
A Battery Management System (BMS) is an electronic control unit (ECU) that monitors and manages a lithium-ion battery pack. Its job is to track parameters such as voltage, current, temperature, and charging behaviour to ensure that the battery operates safely and efficiently. A BMS also helps eliminate performance variations between individual battery cells, extending battery life and ensuring safe operation.
In modern electric vehicles, particularly those powered by lithium-ion batteries, the BMS is one of the most critical components in the battery pack. Without a BMS, a battery would suffer from premature degradation, as compared to a battery with a BMS. But modern BMS units do much more than simply monitor battery health.
Batteries now talk to smartphones
Traditionally, checking a battery’s health required dedicated diagnostic equipment or a physical display attached to the battery pack. Over time, manufacturers began integrating Bluetooth connectivity into BMS units, allowing battery information to be accessed through smartphone applications. This is where apps like BAT-BMS enter the picture.
According to BAT-BMS’s Apple App Store listing, the application allows users to monitor battery charge levels, voltage, current, temperature, cycle life and individual cell status. The app communicates with compatible battery packs over Bluetooth Low Energy (BLE), enabling users to view battery data without opening the battery enclosure or connecting specialised tools. As per the listing, the operating distance is approximately 15 metres.
For battery manufacturers, service centres, technicians and fleet operators, such functionality can make diagnostics significantly faster and cheaper.
The app was not originally designed as a hacking tool but was built as a maintenance and diagnostics utility. However, its misuse made it a problem.
The feature that became a vulnerability
Many Bluetooth-enabled BMS platforms allow authorised users to control certain battery functions in addition to viewing diagnostics. According to BAT-BMS’s app listing, users can manage charging and discharging functions on compatible batteries. These capabilities are useful during servicing, maintenance, and battery configuration.
The problem, however, was not the existence of these controls. The problem was who could access them.
As per several videos shared on social media platforms, these controls were being used to connect to nearby e-rickshaw batteries through Bluetooth and activate the discharge switch. Once the discharge function was disabled, power delivery from the battery pack stopped, immobilising the vehicle. Disabling the discharge circuit effectively cuts off the battery’s power supply to the motor, and since the motor relies on that power to operate, the vehicle can come to a halt almost immediately.
Therefore, the app was not “hacking” the motor, the controller or the vehicle’s electronics. Instead, it was interacting with the battery management system and disabling the battery’s ability to supply power.
Did Bluetooth become the weakest link
The controversy can potentially be described as a Bluetooth issue, but experts argue that Bluetooth itself is not necessarily the problem. The larger concern is authentication. A Delhi government official reportedly told NDTV Profit that some affected systems allegedly lacked password protection or authentication mechanisms.
If a device accepts connections from nearby users without verifying whether they are authorised, the security of the entire system can be compromised regardless of the communication technology being used.
In practical terms, this meant that a person standing within Bluetooth range could potentially connect to a compatible battery through a publicly available application and access controls that were intended for owners, technicians or service personnel. The vulnerability therefore appears to have stemmed from weak access controls rather than from any flaw in Bluetooth technology itself.
Is this limited only to e-rickshaws, or will other EVs also fall prey?
This problem isn’t limited to just e-rickshaws. It stems from low-cost lithium battery packs equipped with Bluetooth-enabled battery management systems that lack adequate security protections.
In principle, any connected component that allows wireless control without adequate access restrictions could create a security risk. In simple words, this means that any EVs, be it e-scooters or electric cars, that use similar technology without adequate security mechanisms can fall prey to this.
However, many electric vehicles use proprietary battery management systems that cannot be accessed through applications such as BAT-BMS. Hence, they will be comparatively safer from such apps.
Scope extends beyond EVs
Although e-rickshaws have become the face of the controversy, the significance of the incident extends beyond transportation.
Battery Management Systems are widely used wherever large lithium-ion battery packs need to be monitored and protected. Alongside electric vehicles, they are increasingly deployed in residential solar energy storage systems, commercial battery backup installations and larger energy storage projects designed to support renewable power integration.
An Indian Express report notes that while automotive applications account for the largest share of the global BMS market, the technology is also extensively used in the energy sector for battery storage and renewable energy integration.
That does not mean the vulnerabilities reported necessarily exist in solar installations or battery storage systems. At present, no evidence has surfaced to suggest that it exists in solar panels as well. However, there is a possibility that it may surface in the future.
It would be safe to say that as batteries become smarter, more connected and increasingly software-driven, cybersecurity becomes relevant wherever connected battery systems are deployed.
A warning for the connected mobility era
Industry experts have urged policymakers and manufacturers not to dismiss the episode as a social-media prank. In an earlier statement to Business Standard, Anurag Singh, Chief Executive Officer of RAH Infotech, said that when safety-critical vehicle systems become connected without strong authentication and secure pairing mechanisms, cybersecurity concerns become inseparable from public safety concerns.
Additionally, an earlier Business Standard report cited Kunal Bhogal, Chief Operating Officer at IIRIS Consulting, as saying that every unsecured connected component can become an attack surface where a digital weakness creates a physical safety risk.
Is delisting apps the solution
The government’s decision to seek the removal of BAT-BMS, Lossigy, Epoch Li-ion and similar applications from app stores may reduce immediate misuse, but it does not address the underlying issue.
The apps themselves were created for legitimate battery monitoring and maintenance purposes. They provide functionality that battery owners, technicians, and service centres genuinely need but the larger challenge lies in ensuring that critical battery controls cannot be accessed by unauthorised users.
That means manufacturers may need to implement stronger authentication systems, mandatory password protection, secure pairing processes, firmware safeguards and stricter access controls for safety-critical functions in the near future.
The BAT BMS controversy has therefore become more than a story about a smartphone application. It has exposed a fundamental lesson for the connected era: once a battery becomes a connected computer, cybersecurity becomes part of safety. As connected batteries find their way into vehicles, homes, businesses, and energy infrastructure, that lesson is likely to become increasingly important.
More From This Section
Don't miss the most important news and views of the day. Get them on our Telegram channel
First Published: Jul 06 2026 | 3:40 PM IST

