How Did BAT-BMS Work? Inside the Now-Banned App That Could Remotely Disable E-Rickshaws
A battery diagnostic app became a public safety issue because some battery packs allowed administrative commands without sufficiently verifying who was sending them.
- Tech News
- 4 min read
What began as a viral social media trend quickly turned into a serious public safety concern. Over the past few days, videos showing people remotely switching off moving e-rickshaws using an app called BAT-BMS flooded Instagram and other social media platforms. The trend, popularly dubbed the "Tirri Challenge", prompted the Indian government to order the removal of BAT-BMS and another similar app, Epoch Li-ion, from app stores over safety concerns.
But what exactly was BAT-BMS, and how was it able to stop an e-rickshaw without the driver's knowledge?
BAT-BMS Was Never Meant for Pranks
Despite the attention it has received, BAT-BMS was not designed as a hacking tool. It is a Battery Management System (BMS) companion application developed for lithium-ion battery packs used in electric vehicles, including e-rickshaws.
Battery manufacturers typically ship such apps to dealers, technicians and vehicle owners so they can monitor battery health, check voltage and temperature, view charging status, diagnose faults, update battery firmware, configure battery parameters, and, in some cases, remotely enable or disable battery output.
In other words, the app functions much like the companion apps used with modern electric scooters, power stations and smart batteries. The problem wasn't the existence of the app. It was how some battery manufacturers configured access to it.
The Real Weakness Was Bluetooth
Most affected e-rickshaws used battery packs whose Battery Management System broadcast a Bluetooth signal. If Bluetooth remained enabled and the battery had little or no authentication, anyone within Bluetooth range could discover it using BAT-BMS.
Instead of requiring a unique password or encrypted pairing process, some battery packs reportedly relied on default credentials or no meaningful authentication at all. Once connected, the app exposed administrative controls that included the ability to disable battery output. That effectively cut power from the battery to the motor controller, causing the e-rickshaw to stop.
It Wasn't "Remote" in the Internet Sense
Many reports described BAT-BMS as remotely controlling e-rickshaws, but that's only partly true. The app did not control vehicles over the internet. Instead, it communicated locally using Bluetooth, meaning the attacker had to be within wireless range, typically a few metres to a few dozen metres depending on the battery hardware and phone. That explains why many viral videos showed pranksters standing near traffic signals or roadside junctions before the e-rickshaw suddenly lost power.
Why Were Only Some E-Rickshaws Affected?
Not every e-rickshaw was vulnerable. The issue depended on the battery pack installed in the vehicle.
Only battery systems using compatible BMS hardware with exposed Bluetooth management interfaces could be controlled using BAT-BMS or similar applications. Battery packs that required secure authentication or had Bluetooth disabled were generally unaffected.
This also explains why some drivers experienced repeated shutdowns while others never encountered the problem.
Why the Government Stepped In
Although many social media users treated it as a prank, the consequences were far from harmless. Suddenly disabling an e-rickshaw in moving traffic can increase the risk of rear-end collisions, leave passengers stranded in unsafe locations, disrupt traffic flow, and damage livelihoods by preventing drivers from completing trips.
Following reports of widespread misuse, the Centre directed app stores to remove BAT-BMS and Epoch Li-ion while asking platforms to exercise greater scrutiny over similar applications in the future.
This Isn't the First Connected Vehicle Security Risk
The BAT-BMS controversy highlights a much larger issue affecting connected vehicles. Modern electric vehicles increasingly rely on software-controlled battery management systems that communicate with smartphones via Bluetooth or Wi-Fi.
Cybersecurity researchers have repeatedly shown that poorly secured battery management systems can become attack surfaces if manufacturers fail to implement strong authentication, encrypted communications, and restricted administrative access. Similar weaknesses have previously been demonstrated in connected electric scooters and other battery-powered mobility devices.
The Bigger Lesson
The BAT-BMS incident wasn't the result of sophisticated hacking. It exposed something more fundamental: many connected devices still prioritise convenience over security.
A battery diagnostic app became a public safety issue because some battery packs allowed administrative commands without sufficiently verifying who was sending them.
Removing the app from app stores may curb its misuse, but the longer-term solution lies with battery manufacturers. Stronger authentication, encrypted Bluetooth communication, and secure firmware are what will ultimately prevent similar incidents from happening again.
For India's rapidly growing EV ecosystem, the episode serves as an early reminder that software security is now just as important as battery range or charging speed.
Published By : Shubham Verma
Published On: 3 July 2026 at 14:02 IST