E-rickshaws are being hacked from mobile phones in the middle of the road? Read the full story of BAT-BMS controversy and EV cyber security

Till a few days ago, hardly anyone would have thought that a mobile app would create such a big debate in the entire country regarding e-rickshaws, but the video that went viral on social media in the last one week did exactly that. In these videos, some people approach a moving e-rickshaw with the help of a mobile phone and the vehicle stops within a few seconds. Within no time these videos reached millions of people. Fear spread among e-rickshaw drivers. Questions started being raised on battery manufacturing companies and ultimately the government also had to take action in this matter.

Initially this entire controversy was revolving around the Chinese battery management app BAT-BMS, but as the matter progressed, it became clear that the matter is not about any one app. The real question is about the cyber security of India’s rapidly growing electric vehicle i.e. EV ecosystem. The real question is whether the speed with which EVs are being adopted in the country is their digital security as strong or not? Let us understand this whole story from the beginning.

What has the government done so far?

The latest update is that the Central Government has removed two apps related to this matter. S Krishnan, Secretary of the Ministry of Electronics and Information Technology i.e. MeitY, said on July 3 that the two apps that had come to his notice have been removed from Google Play Store and Apple App Store. These two apps are BAT-BMS and Epoch Li-ion.

S Krishnan also said that the app stores themselves will have to be careful and the government will talk to Google and Apple, so that such harmful apps are not available again in future. Along with this, the government is now also investigating the bigger picture hidden behind this entire incident i.e. the cyber vulnerabilities of the battery system.

First of all understand what is BMS?

To understand this whole story, it is important to first understand BMS. There is a small electronic control system inside every lithium-ion battery, which is called Battery Management System i.e. BMS.

If battery is considered as human body then BMS is his brain. This decides how much the battery will be charged, how much it will be discharged and what is the temperature of which cell. The app also checks whether the battery is overheating and whether there is a risk of short circuit. Overall the job of the BMS is to ensure that the battery continues to operate safely.

Nowadays many modern BMS also have Bluetooth module installed. With its help, complete information about the battery can be seen through the mobile app. Service engineers and authorized dealers check the battery health through this app. In some BMS, the option to turn the battery on or off is also given for security reasons. The real controversy has started from here, the feature which was created to make servicing easier, is now being feared to be misused.

What was seen in the viral video?

In the video circulating on social media, it was claimed that some people go near an e-rickshaw running on the road, open the mobile app, connect to the battery and after a few seconds the e-rickshaw stops.

Drivers were seen upset in many videos. Some people had to push rickshaws in the middle of the road and some people lost their daily earnings. Some people made it a kind of prank and in some parts of North India it was also given a name like Tirri Control. In many videos, the battery was even restarted after recording, just to capture the driver’s reaction on camera.

These videos created a perception in the minds of common people that any person can stop any e-rickshaw at any time through mobile. Is it really so? There is a need to stop and think here.

Can every e-rickshaw really be stopped?

The direct answer to this is no. According to experts, not all e-rickshaws are affected by this problem. E-rickshaws which run on lead-acid batteries are completely safe, because they do not have BMS with Bluetooth. Similarly, batteries of many big companies run on their separate and closed i.e. proprietary apps and do not connect with any third party app.

The only threat is to some Bluetooth enabled lithium batteries to which such common apps can connect. There is a risk in them only if the BMS does not have a strong password or authentication. That is, the picture that the viral video is presenting does not apply to every vehicle. This is also important because it can prevent unnecessary panic.

How did the BAT-BMS controversy start and what is this app?

After the viral video, the first app named BAT-BMS came into discussion. This is an app developed by Chinese company Shenzhen Greenery Technology and was originally designed for monitoring and servicing Bluetooth-enabled lithium-ion batteries.

In this app, information like battery voltage, current temperature, charging status and battery health can be seen. Additionally, some compatible batteries also have a control feature, i.e. the ability to turn the battery on or off. The allegation is that some people were taking wrong advantage of this control feature. According to experts, this app can connect to a compatible battery in the Bluetooth range of about ten to fifteen meters and if the security of that battery is weak, it can even be switched off.

Then how did the new twist come in the story?

Initially it was believed that the problem was only in BAT-BMS and once it was removed the matter would end. In some tests it was also seen that this app was asking for the password before turning off the battery. The real turning point came when another battery management app was tried. That app also got connected to the same compatible battery and also started shutting it down.

The government has also now removed two apps BAT-BMS and Epoch Li-ion. One thing became very clear from this that if the hardware of the battery is not safe then just removing an app will not solve the problem completely. Another compatible app may try to connect to the same weak battery. This is the point where the issue moves beyond the scope of an app and becomes a question of cyber security of the entire EV system.

Where is the real weakness technically?

This is the most important part of this entire controversy. The problem lies more in the BMS whose security is weak than in any one app. The danger lies where the battery’s Bluetooth is open and there is no strong password. Many times the factory default password is never changed and continues to remain the same. Somewhere the authentication system is weak and somewhere the firmware is not secure enough.

The batteries of many cheap e-rickshaws and electric two-wheelers sold in India either come without a password or continue to operate on the factory default password. In such a situation, any person present within the Bluetooth range of about ten to fifteen meters can connect to that battery without the knowledge of the owner. This means that the real danger is not from the app, but from weak hardware and weak settings.

Is this hacking?

Technical experts say that it would not be correct to call every case hacking. If a system is left open without a password and someone misuses its official control feature, then it is not traditional cyber hacking, but a security lapse.

From a legal point of view, entering and controlling someone else’s system without permission can fall under the category of crime. The police action taken in Ujjain indicates that it cannot be dismissed as just a joke.

Also read: How does BAT-BMS app work, will it stop electric bikes and cars too?

What effect does this have on e-rickshaw drivers?

For drivers, this is not just a technical issue but a direct question of livelihood. Most e-rickshaw drivers drive their vehicles on rent, so even one day’s loss is very heavy for them. If the e-rickshaw stops midway, the passengers disembark, fare is not paid and the vehicle has to be pushed. Due to this the whole day’s earnings get stuck.

Many drivers do not even know that their rickshaw has not actually broken down, but has been stopped through the app. In such a situation, some people try to get the vehicle repaired by paying money to a passerby or a mechanic, whereas there is no fault in the rickshaw.

In a case reported from Delhi, a rickshaw driver remained parked at one place since morning and his daily earnings of around Rs 400 to 500 were lost. Later, a person present at the spot connected his app and restarted his rickshaw. Dealers say that such complaints have increased in the last few days and many vehicles have reached the workshop for checking.

Is just deleting the app the solution?

The answer from experts is clear or not. Even if BAT-BMS is removed, but another app can connect to the same vulnerable hardware, the problem will persist. This is the reason why the debate became bigger after the launch of other apps like Epoch Li-ion. In such a situation, the real solution is not to remove the app, but to strengthen the security of battery and BMS from the root. Unless the hardware is secure, apps will keep coming and going and the threat will remain.

Also read: How does BAT-BMS app work, will it stop electric bikes and cars too?

What improvements should be made?

Cyber ​​security experts are giving many suggestions on this. First of all, a unique password should be mandatory for every BMS and the factory default password should be changed the first time it is used. The Bluetooth connection should be encrypted and only authorized devices should be able to connect to the battery.

Apart from this, multi-layer authentication is necessary for control features like turning on or off the battery, that is, just one password does not work. Security settings must be set as mandatory before delivery of the vehicle to dealers. The most important thing is that the government should issue fixed cyber security standards for EV batteries, so that every company has to follow these rules.

Everyone’s eyes will be on these three things

  • First, what does the government’s investigation reveal and how many batteries are actually affected?
  • Secondly, what future policy do Google and Apple adopt regarding such apps?
  • Thirdly, does India impose any separate cyber security rules for EV batteries and battery management systems?

the biggest question

The BAT-BMS controversy initially raised questions on only one app, but after the emergence of other apps like Epoch Li-ion, this debate has become deeper. Now it is no longer a matter of just one Chinese app. The real question is that with the speed with which electric vehicles are being adopted in India, is their digital security also being strengthened equally? If the answer is no, then this controversy could also become the beginning of new cyber security rules for the country’s EV industry in the future and perhaps this is the biggest lesson of this entire matter.

Also read: Action against apps that shut down e-rickshaws, two were deleted

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *