Security Advisories Bluetooth / EV
Critical Bluetooth / EV
BAT BMS / Tirri Control — Bluetooth BMS Exploit

BAT BMS / Tirri Control — Bluetooth BMS Exploit

The BAT BMS app exploits unauthenticated Bluetooth Low Energy connections to remotely disable e-rickshaw batteries by toggling the BMS discharge MOSFET. Affects cheap Chinese BMS units with no password protection.

Published: 2 July 2026 Updated: 2 July 2026

Affected Systems

  • Chinese BMS units (Shenzhen Grenergy, JBD, Xiaoxiang) without password authentication
  • E-rickshaws with Bluetooth-enabled lithium batteries
  • Electric two-wheelers with no-name lithium battery packs
  • DIY-converted EVs using generic Chinese BMS modules

Technical Overview

The BAT BMS app, developed by Shenzhen Grenergy Technology, is a legitimate battery management tool available on Google Play and the Apple App Store (100,000+ downloads). It communicates with Bluetooth-enabled lithium Battery Management Systems (BMS) over BLE to monitor voltage, temperature, charge level, and cycle life. A built-in discharge control toggle lets users cut battery output remotely.

The vulnerability: cheap Chinese BMS units ship with Bluetooth enabled, no password set, and the discharge control exposed without authentication. Anyone within 10-15 metres can connect using the app and disable the vehicle.

Attack Flow

  1. Discovery — The BMS broadcasts BLE advertising packets with UUID 0000ffe0-0000-1000-8000-00805f9b34fb. The BAT BMS app scans for these within 10-15 metres.

  2. Connection — The app sends a BLE connection request. On unsecured units, this is accepted without any PIN, password, or authentication.

  3. Service Discovery — The app queries available BLE services and characteristics, finding read/write handles for battery data and the discharge MOSFET control.

  4. Command Execution — The app writes 0x00 to the discharge control characteristic handle, signalling the BMS firmware to open the MOSFET circuit.

  5. Power Cut — The MOSFETs open, breaking the circuit between battery cells and output terminals. The motor loses power instantly.

  6. Locked State — Some BMS units remain locked after a remote shutdown, requiring a physical battery reset or app reconnection to re-enable discharge.

Affected Systems

Only vehicles with Bluetooth-enabled lithium battery BMS units lacking password authentication are vulnerable:

Vehicle TypeVulnerable?Reason
Lead-acid battery e-rickshawNoNo BMS or Bluetooth
Premium lithium EV (Ola, Ather, Bajaj)NoProprietary BMS with authentication
Budget lithium e-rickshaw with Chinese BMSYesUnsecured Bluetooth BMS
DIY-converted e-rickshaw with generic packYesCheap Chinese BMS
Electric scooter with no-name batteryYesSame vulnerability

Impact

  • Safety hazard — Sudden vehicle stop in traffic can cause accidents
  • Livelihood disruption — E-rickshaw drivers lose income while stranded
  • Repeatable attack — No permanent damage, but attacker can toggle discharge repeatedly
  • Widespread target base — Over 15 lakh e-rickshaws in India, many using budget lithium packs

Mitigation

  1. Set a BMS password — Use the BAT BMS app or manufacturer configuration tool to set a PIN under device settings.

  2. Disable Bluetooth on the BMS — Many units support turning off Bluetooth via desktop configuration software. Check with your battery supplier.

  3. Upgrade to a secure BMS — Replace with a BMS supporting password authentication and encrypted BLE. Cost: ₹500–₹2,000.

  4. Physically secure the battery enclosure — Prevent attackers from accessing/resetting the BMS module directly.

  5. Switch to lead-acid temporarily — Lead-acid batteries do not use Bluetooth BMS and are immune.

  6. Report incidents — File a complaint with local police and cybercrime cell under IT Act 2000.

Timeline

  • 2026-07-01: Viral “Tirri Control” videos appear on Instagram and WhatsApp
  • 2026-07-02: Coverage by ABP News, India Today, Business Standard, Times of India
  • 2026-07-02: DigiHaryana publishes this advisory

References

Prevention Checklist

  • Set a BMS password via manufacturer software
  • Disable Bluetooth broadcast if continuous monitoring is not needed
  • Verify BMS firmware supports encrypted pairing
  • Use tamper-evident seals on the battery enclosure
  • Register battery with manufacturer for firmware alerts
  • Report suspicious power loss to local cybercrime cell

Advisory Details

Severity Critical
Category Bluetooth / EV
Published 2 Jul 2026

Need help securing your systems?

Our cybersecurity team provides vulnerability assessments, penetration testing, and security architecture consulting for Indian businesses.

Consult a Security Expert
WhatsApp