The BAT BMS app — a Shenzhen built Bluetooth Android tool that stalls Indian e rickshaws mid ride — exposes a fleet side supply chain gap the October cybersecurity mandate does not address.
India's connected-vehicle cybersecurity mandate lands in October. The prank videos that triggered it have already exposed the hardware that mandate cannot reach: the deployed e-rickshaw fleet, much of it running battery management systems (BMS) sourced from Chinese suppliers without a documented security review.
The app is BAT-BMS, an Android tool from Shenzhen Grenergy Technology that talks to a widely deployed family of Bluetooth BMS units over the air. Anyone within roughly 10 to 15 metres can pair, send a discharge-disable command, and stall a vehicle mid-ride. The capability was already known in the BMS-vulnerability community; it became a mainstream story once pranksters started broadcasting the shutdowns on short-video platforms, pushing the Ministry of Heavy Industries to act.
The regulator's response is documented in a Business Today explainer and corroborated by the Hindu Business Line, the New Indian Express, the420.in, and Business Standard. The advisory letter went to industry bodies SIAM and ACMA and to the testing agencies ARAI, iCAT, NATRAX, and GARC. Separately, the Ministry told automakers to stand up a Cyber Security Management System (CSMS) framework starting in October, with OEMs directed to audit connected-vehicle software, devices, and battery systems.
CSMS audits vehicle architectures and supplier code at the type-approval stage, before new vehicles reach showrooms. The e-rickshaws stalling in the viral reels are already registered, insured, and operating last-mile duty. In many deployed cases, the BMS firmware on these vehicles comes from Chinese suppliers and is tuned through a Bluetooth service link that ships with the product itself. A regulator cannot switch off a service link with a recall notice.
The same Bluetooth configurability that sold the hardware into the fleet is the door BAT-BMS walks through. Last-mile operators chose Chinese firmware for its price and field tunability; that tunability is exactly the access the prank app exposes.
The same firmware access enables state-of-charge spoofing and tamper-log clearing, the kind of problem a CNBC TV18 walkthrough of the BAT-BMS app treats as a vehicle-safety and grid-edge concern rather than just a trolling nuisance. Spoofed battery telemetry corrupts the data charging stations, swap networks, and fleet operators rely on to price and dispatch energy.
Three caveats the cited sources leave open. The outlets name Shenzhen Grenergy as the BAT-BMS developer and the apparent origin of the Bluetooth protocol in question, but direct reporting on the company's founding, scale, and broader OEM partnerships remains thin. The exact count of Indian e-rickshaws running a vulnerable BMS variant is not in the cited evidence base and should not be inferred from coverage volume. The October CSMS mandate date is paraphrased across outlets; the underlying MHI/ARAI notification has not yet been located in the primary record.
The live question for regulators is whether the CSMS rollout is treated as a complete fix or as the start of a remediation exercise that reaches backward into the deployed fleet. The Bluetooth kill command works because the firmware accepts it. Removing that acceptance, at a vendor, fleet-operator, or importer level, is a retrofit project rather than a type-approval one, and India has not yet announced the funding, authority, or technical standard it would use to mount it.
For the e-rickshaw drivers who lost fares to this month's prank reels, the next milestone is when a follow-up advisory arrives. The current one flags the risk and points toward new vehicles. It does not yet chart the path back to the hardware already on the road.