The BAT BMS app exploits unauthenticated Bluetooth Low Energy connections to remotely disable e-rickshaw batteries by toggling the BMS discharge MOSFET. Affects cheap Chinese BMS units with no password protection.
The BAT BMS app, developed by Shenzhen Grenergy Technology, is a legitimate battery management tool available on Google Play and the Apple App Store (100,000+ downloads). It communicates with Bluetooth-enabled lithium Battery Management Systems (BMS) over BLE to monitor voltage, temperature, charge level, and cycle life. A built-in discharge control toggle lets users cut battery output remotely.
The vulnerability: cheap Chinese BMS units ship with Bluetooth enabled, no password set, and the discharge control exposed without authentication. Anyone within 10-15 metres can connect using the app and disable the vehicle.
Discovery — The BMS broadcasts BLE advertising packets with UUID 0000ffe0-0000-1000-8000-00805f9b34fb. The BAT BMS app scans for these within 10-15 metres.
Connection — The app sends a BLE connection request. On unsecured units, this is accepted without any PIN, password, or authentication.
Service Discovery — The app queries available BLE services and characteristics, finding read/write handles for battery data and the discharge MOSFET control.
Command Execution — The app writes 0x00 to the discharge control characteristic handle, signalling the BMS firmware to open the MOSFET circuit.
Power Cut — The MOSFETs open, breaking the circuit between battery cells and output terminals. The motor loses power instantly.
Locked State — Some BMS units remain locked after a remote shutdown, requiring a physical battery reset or app reconnection to re-enable discharge.
Only vehicles with Bluetooth-enabled lithium battery BMS units lacking password authentication are vulnerable:
| Vehicle Type | Vulnerable? | Reason |
|---|---|---|
| Lead-acid battery e-rickshaw | No | No BMS or Bluetooth |
| Premium lithium EV (Ola, Ather, Bajaj) | No | Proprietary BMS with authentication |
| Budget lithium e-rickshaw with Chinese BMS | Yes | Unsecured Bluetooth BMS |
| DIY-converted e-rickshaw with generic pack | Yes | Cheap Chinese BMS |
| Electric scooter with no-name battery | Yes | Same vulnerability |
Set a BMS password — Use the BAT BMS app or manufacturer configuration tool to set a PIN under device settings.
Disable Bluetooth on the BMS — Many units support turning off Bluetooth via desktop configuration software. Check with your battery supplier.
Upgrade to a secure BMS — Replace with a BMS supporting password authentication and encrypted BLE. Cost: ₹500–₹2,000.
Physically secure the battery enclosure — Prevent attackers from accessing/resetting the BMS module directly.
Switch to lead-acid temporarily — Lead-acid batteries do not use Bluetooth BMS and are immune.
Report incidents — File a complaint with local police and cybercrime cell under IT Act 2000.
Our cybersecurity team provides vulnerability assessments, penetration testing, and security architecture consulting for Indian businesses.
Consult a Security Expert