Telegram Group Join Now

Relevance: GS-III (Cyber Security, IT Awareness, EVs); GS-II (Government Policies) Source: IT Ministry / News Reports, July 2026

The Bluetooth Hack: How Cyber Extortion Hit Delhi’s E-Rickshaws

1 · What exactly happened?

Imagine an e-rickshaw driver working hard in Delhi traffic, when suddenly their vehicle just dies. Soon, a “helpful” stranger approaches, offering to fix the mysterious technical fault for ₹200 to ₹500. This isn’t a mechanical breakdown—it is a new, cruel form of digital extortion.

Scammers are using free smartphone apps to hack into the e-rickshaw’s battery system via Bluetooth and remotely turn off the vehicle. This daily harassment has slashed the earnings of poor drivers from ₹1,000 down to just ₹600, forcing the government to step in.

2 · How does a basic e-rickshaw get hacked?

The Core Flaw: No Passwords. This is not a complex internet virus. Modern lithium batteries have a “brain” called a Battery Management System (BMS). Cheap, imported batteries have Bluetooth so mechanics can check battery health via an app. The massive flaw is that they come “insecure-by-default”—with zero password protection.

The Technology
BMS & Bluetooth
The BMS monitors battery health. It uses Bluetooth Low Energy (BLE) to connect to smartphones within a 10 to 15-meter range.
The Exploit
Stopping the Motor
Because there is no PIN or password, any scammer standing nearby can pair their phone to the battery and simply press “turn off discharge”, stopping the motor instantly.
The Culprit Apps
Genuine but Misused
Scammers used genuine diagnostic apps like BAT-BMS (by a Chinese firm), Lossigy, and Epoch Li-ion to execute this hack on the streets.
Government Action
Swift Takedowns
The Union government ordered Apple and Google to remove these apps immediately. Delhi Police and Transport departments have launched active probes.

  • Legal Trouble: Hacking a vehicle’s BMS is a serious cybercrime. It attracts heavy penalties under Sections 43 and 66 of the IT Act, 2000. Extortion charges under the Bharatiya Nyaya Sanhita (BNS) can lead to 3 years in jail and a ₹5 lakh fine.
  • The Human Cost: E-rickshaws are the backbone of last-mile travel, providing informal jobs to millions of vulnerable migrants. This shows that cybersecurity isn’t just an “IT problem” for big companies—it directly affects the survival of the urban poor.
  • The Fix: Experts are urging the EV industry to adopt “Secure-by-Design” principles. This means the government must make basic password protection and encrypted Bluetooth connections a strict legal requirement for all batteries.

UPSC Prelims Quick Facts
BMS Battery Management System. The electronic brain inside a lithium-ion battery that protects it and regulates power.
CERT-In Indian Computer Emergency Response Team. The national nodal agency for responding to all computer security threats.
NCIIPC National Critical Information Infrastructure Protection Centre. Protects vital digital assets (like future smart EV grids).
IoT Internet of Things. The concept of physical objects (like rickshaws) connecting and exchanging data wirelessly.
Secure-by-Design A product engineering concept where security features (like passwords) are built-in from the very beginning, not added later as an afterthought.

MCQ Practice Question
Q. With reference to the recent cybersecurity vulnerabilities in Electric Vehicles (EVs), consider the following statements:

  1. The attacks on e-rickshaws were carried out using sophisticated ransomware delivered via the internet.
  2. Modifying a vehicle’s Battery Management System (BMS) parameters without permission is a punishable offence under the IT Act, 2000.
  3. CERT-In is the national nodal agency for responding to computer security incidents in India.

Which of the statements given above is/are correct?
(a) 1 and 2 only    (b) 2 and 3 only    (c) 1 and 3 only    (d) 1, 2 and 3

Answer: (b) 2 and 3 only

  • Statement 1 — Incorrect: The attack was not done via complex internet ransomware. It was a simple, local hardware exploit using Bluetooth Low Energy (BLE) because the batteries lacked basic password protection.
  • Statement 2 — Correct: Unauthorized access and modification of the BMS computer system attracts strict penalties under Sections 43 and 66 of the IT Act, 2000.
  • Statement 3 — Correct: CERT-In is indeed the nodal agency under the Ministry of Electronics and Information Technology responsible for handling cyber security incidents.

Start Yours at Ajmal IAS – with Mentorship StrategyDisciplineClarityResults that Drives Success

Your dream deserves this moment — begin it here.