BAT-BMS Viral Videos Raise EV Security Concerns in India; TraceX Labs Releases Comprehensive BMS Security Advisory and Immediate Mitigation Guidance
A wave of viral videos involving the BAT-BMS mobile application has sparked widespread discussion about the cybersecurity of Battery Management Systems (BMS) used in electric vehicles across India,...
A wave of viral videos involving the BAT-BMS mobile application has sparked widespread discussion about the cybersecurity of Battery Management Systems (BMS) used in electric vehicles across India, particularly commercial e-rickshaws. The videos, which have circulated extensively on social media in recent days, appear to show individuals using Bluetooth-enabled diagnostic applications to interact with nearby battery systems, prompting concerns among drivers, fleet operators, battery manufacturers, and cybersecurity experts.
Table Of Content
The incidents have highlighted an emerging cybersecurity challenge within India’s rapidly growing electric mobility sector, where Bluetooth-enabled Battery Management Systems are increasingly being deployed for battery monitoring, diagnostics, and maintenance.
According to multiple media reports, the issue is associated with certain Battery Management Systems that expose Bluetooth Low Energy (BLE) interfaces without sufficient authentication or continue operating with default security settings. In such cases, unauthorized users within Bluetooth range may be able to establish a connection using compatible BMS diagnostic applications if the battery has not been securely configured.
Security researchers emphasize that this is not a malware attack or an internet-based remote compromise. Instead, it involves local Bluetooth communication between a smartphone and a vulnerable Battery Management System. The potential risk depends on the specific battery hardware, firmware version, and security configuration, meaning the issue does not affect every Battery Management System or every electric vehicle.
TraceX Labs Issues BMS Security Advisory
Following its technical assessment of the issue, TraceX Labs has released a comprehensive cybersecurity advisory titled:
“Unauthorized Over-the-Air Disruption of EV Battery Management Systems (BMS) via Unauthenticated Bluetooth Low Energy (BLE) Controls.”
Prepared by the TraceX Labs IoT Security Research Team, the advisory examines the underlying security weaknesses that may exist in certain Bluetooth-enabled Battery Management Systems and provides practical guidance for manufacturers, battery assemblers, EV manufacturers, fleet operators, commercial e-rickshaw drivers, service technicians, and regulatory agencies.
According to the report, the issue stems primarily from insecure Bluetooth implementations rather than sophisticated cyberattacks. The advisory identifies several security weaknesses that may be present in vulnerable Battery Management Systems, including:
- Missing authentication for critical Bluetooth functions.
- Factory-default or publicly documented Bluetooth PINs.
- Open write permissions for battery control commands.
- Lack of device whitelisting or access control mechanisms.
- Bluetooth modules that remain publicly discoverable after deployment.
Where these conditions exist, compatible Bluetooth applications may be able to communicate with the Battery Management System without appropriate authorization.
Potential Impact on India’s EV Ecosystem
Battery Management Systems are responsible for monitoring battery voltage, temperature, charging, cell balancing, and overall battery safety. If unauthorized users gain access to critical battery controls on vulnerable systems, they may be able to interfere with battery operations, potentially disrupting normal vehicle functionality.
TraceX Labs notes that such security weaknesses could contribute to:
- Unexpected interruption of vehicle operation.
- Increased road safety risks.
- Operational disruption for commercial fleet operators.
- Financial losses for e-rickshaw drivers.
- Reduced confidence in connected EV technologies.
The advisory also points out that India’s extensive use of low-cost battery assemblies and Bluetooth-enabled BMS components makes cybersecurity an increasingly important aspect of the country’s EV supply chain.
Immediate Mitigation Measures
To help reduce potential risk, the TraceX Labs advisory recommends immediate security measures for affected stakeholders, including:
- Changing factory-default Bluetooth passwords.
- Enabling secure authentication wherever supported.
- Disabling Bluetooth advertising when wireless monitoring is unnecessary.
- Installing firmware updates provided by manufacturers.
- Restricting Bluetooth access to authorized maintenance personnel only.
- Disconnecting external Bluetooth modules as a temporary mitigation where secure configuration is unavailable.
For Battery Management Systems that do not support password protection or Bluetooth security controls, the advisory also provides a temporary hardware mitigation procedure designed to eliminate the wireless attack surface while maintaining the battery’s essential protection functions. TraceX Labs recommends that any hardware modifications be carried out only by qualified technicians following appropriate electrical safety procedures.
Long-Term Security Recommendations
Beyond immediate mitigation, the advisory encourages Battery Management System manufacturers to adopt secure-by-design principles in future products. Recommended measures include mandatory cryptographic authentication, encrypted Bluetooth communication, secure pairing procedures, physical verification before new device pairing, secure firmware updates, and Bluetooth functionality disabled by default until securely configured.
The report also recommends strengthening automotive cybersecurity standards by incorporating mandatory wireless security testing, secure default configurations, and vulnerability disclosure requirements into future regulatory frameworks.
TraceX Labs Technical Advisory Now Available
The complete TraceX Labs advisory includes:
- Executive Summary
- Technical Threat Analysis
- Bluetooth Attack Methodology
- India’s EV Ecosystem Risk Assessment
- Temporary Hardware Mitigation Procedure
- Software Security Hardening Guidance
- Manufacturer Security Recommendations
- Regulatory and Policy Recommendations
- Supply Chain Vulnerability Assessment
- Long-Term Cybersecurity Framework
As connected technologies become increasingly integrated into modern electric vehicles, cybersecurity is emerging as a critical component of transportation safety. Through this advisory, TraceX Labs aims to help manufacturers, regulators, fleet operators, and EV owners better understand Bluetooth-related security risks and implement practical measures to strengthen the resilience of India’s rapidly growing electric mobility ecosystem.
TraceX Labs Report : https://tracexlabs.com/reports/bms-security-advisory-immediate-mitigation-for-ev-vehicles.html



