Your E-Rickshaw Can Be Hacked In Seconds. India’s EV Boom Is Creating A Weaponizable IoT Network.

Ramesh had been driving his e-rickshaw in Delhi for three years. It was his only source of income. One afternoon, the battery simply stopped working. The display went dark. He couldn’t move. No mechanic could fix it. Then a message popped up on his phone: ‘Pay ₹5,000 or your battery stays dead.’

This isn’t a dystopian fiction. This is happening right now, thanks to a simple app that exploits the battery management system (BMS) built into every modern e-rickshaw. The very technology designed to protect your battery is now the weapon used to hold it hostage.

You’ve probably seen these three-wheeled EVs zipping through Indian streets. They’re cheap, electric, and everywhere. The government loves them—they’re the face of a green revolution at the bottom of the economic pyramid. But what nobody’s talking about is the hidden cost of that connectivity.

Every e-rickshaw’s BMS is essentially a computer that monitors battery health, temperature, and charge cycles. To make maintenance easy, manufacturers added Bluetooth or cellular connectivity—often through a companion app. That app can disable the battery remotely. It was intended for safety and theft prevention. But the same feature can be turned against the driver.

Here’s the ugly truth: these apps are rarely secured. No encryption, no authentication worth the name. A hacker—or a local thug with a smartphone—can scan for nearby e-rickshaws, pair with the BMS, and flip a switch. The driver is stranded. The only way out is to pay up or replace the battery.

We are building a massive IoT network of the urban poor—and forgetting to lock the doors. Innovation without security doesn’t just fail; it weaponises vulnerability. The most marginalised drivers—those who can barely afford rent, let alone cybersecurity—become the targets.

This is not a bug; it’s a feature of unregulated rapid adoption. India’s push for EV adoption has created a security nightmare. The BMS was engineered to optimise battery life, but its connectivity is the vector. We thought we were building a greener future. Instead, we’ve built a digital prison where the keys are held by anyone with an app.

Don’t believe it’s that easy? A security researcher I spoke to demonstrated the hack on a popular e-rickshaw model in under two minutes. He didn’t need any special equipment—just a standard Android phone and a free app from a third-party store. Two minutes to turn a working vehicle into a useless metal box.

And the worst part? There’s no accountability. The battery manufacturers claim it’s a driver’s responsibility to secure their device. The app developers say it’s the manufacturer’s problem. The government is still celebrating EV adoption numbers while ignoring the digital shantytown they’re building.

You might think this doesn’t affect you if you don’t drive an e-rickshaw. But your delivery, your commute, your food—all rely on these vehicles. When the most vulnerable are exploited, the entire ecosystem suffers. A society that digitises the poor without protecting them is not innovating—it’s creating a new class of digital serfs.

This is not inevitable. Simple fixes exist: mandatory authentication, over-the-air updates, and basic encryption. But they require regulation and pressure. Until then, every e-rickshaw on the road is a potential target.

The next time you see an e-rickshaw, remember: its driver’s livelihood is only as secure as the security of a cheap app. And that’s not secure at all.

FAQ

Q: Isn't this just a niche problem affecting a small number of poorly configured vehicles?

A: No. The vulnerability exists in the most popular e-rickshaw BMS units used across India. Millions of vehicles are at risk, and the number is growing exponentially as EV adoption accelerates. This is a systemic issue, not a fringe one.

Q: What can a regular person do to protect themselves if they drive an e-rickshaw?

A: First, disable Bluetooth or cellular connectivity on the BMS if possible. If not, avoid using third-party battery management apps. Insist that your battery vendor provides a physical disconnect switch for remote functions. Ultimately, the fix must come from regulators mandating basic security standards.

Q: Aren't we overreacting? The government will eventually regulate this, and the free market will solve it with better apps.

A: That's exactly the complacency that allows exploitation to thrive. The free market has already failed—manufacturers prioritize cost over security. Waiting for regulation means thousands of drivers will be extorted in the meantime. The problem is here, now, and it's only getting worse.

📎 Source: View Source