Particle.news

BAT-BMS App Used to Stop E-Rickshaws by Exploiting Unsecured Battery Modules

Exposing weak security in low-cost Bluetooth battery modules, the trend risks driver safety, hurts drivers' incomes, may trigger firmware fixes or regulatory action.

Overview

  • Viral short videos circulating in recent days show people using the BAT-BMS smartphone app to pair with nearby lithium battery packs in some e-rickshaws and flip a 'discharge' switch that immediately cuts power to the motor.
  • BAT-BMS is a legitimate battery-management app made by Shenzhen Grenergy Technology that can monitor and control compatible Bluetooth-enabled battery management systems (BMS).
  • Reporting and expert analysis trace the cause to insecure, low-cost BMS Bluetooth modules that use weak or no authentication, allowing anyone within roughly 10–15 metres to connect and change discharge settings.
  • Not all e-rickshaws are vulnerable: many still run on lead-acid batteries or use proprietary, password-protected BMS units that the app cannot access, so the exploit affects a limited subset of vehicles.
  • Clips document real harm to drivers who are stranded, lose fares, or must pay others to restart batteries; the app reportedly remains on Google Play, has been removed from Apple's App Store, and authorities have not issued a widespread public response yet.