HomeNews Reports‘EVM hack’ conspiracy theorists use BAT-BMS E-Rickshaw hack cases to push their agenda again:...

‘EVM hack’ conspiracy theorists use BAT-BMS E-Rickshaw hack cases to push their agenda again: Here is why they are wrong, and stupid

Over the past few days, a wave of videos has taken over Indian social media showing something that looks straight out of a spy thriller: a person casually pulls out their phone, taps a button, and a moving e-rickshaw a few metres away simply stops. No wires, no contact, but with an app called BAT-BMS. The clips have racked up millions of views, with people filming themselves pranking rickshaw drivers mid-route, and the panic has spread just as fast as the footage.

Predictably, the story didn’t stay contained to e-rickshaws for long. It didn’t take long for a section of X to connect the dots in a very different direction: if a random phone app can shut down a vehicle over Bluetooth, why should anyone trust Electronic Voting Machines?

Cockroach Janta Party posted a sarcastic tweet claiming the same on Thursday, saying, “It’s worth noting that A running e-rickshaw can be shut down with a mobile app, but an EVM cannot be hacked.” The tweet included the emoji for ‘dropping a wildly awkward secret’.

Congress leader Deepak Bishnoi made a similar post, suggesting that EVMs also can be hacked from mobile phone.

“Journalist” Mukesh Kumar Verma posted in Hindi on X, ‘The question was: If a moving E-Rickshaw can be shut down via a mobile app using BAT-BMS, then why can’t an EVM be hacked?’

Several other users on X made similar post, mostly in Hindi, saying it is worth noting that e-rickshaws can be hacked but EVMs can’t be hacked.

EVM is a device central to how India elects its government. Are they truly unhackable? The logic sounds intuitive at first glance. It is also, on closer inspection, built on a foundation that doesn’t hold up. Before we answer the question, “Is it possible to hack an EVM like an e-rickshaw or not?” let us discuss what is actually going on with e-rickshaws because the real story is less about hacking and more about an unlocked door nobody bothered to lock.

What’s Actually Happening

To understand why the “hack” is not really a hack, we need to know three things: What is BMS, why it has Bluetooth, and why that Bluetooth link matters.

The BMS: a battery’s built-in bodyguard

The Battery management system (BMS) is the electronic brain of a rechargeable battery pack. In simple words, every lithium-ion battery pack, the kind increasingly used in e-rickshaws instead of older lead-acid batteries, has a small chip inside, known as a Battery Management System or BMS. Its job is to constantly monitor the battery’s voltage, temperature, and charge level, and cut power immediately if something looks unsafe, like overheating or a short circuit.

This is a genuine safety feature. Without it, lithium batteries would be far more prone to fires and failures. To do this cutting, the BMS uses tiny electronic switches. When the BMS decides power needs to stop flowing, it flips the switch, and the vehicle loses power within milliseconds, not because something broke, but because the system worked exactly as designed.

Why is Bluetooth even involved

Many inexpensive battery manufacturers, a lot of them Chinese producers operating at scale, incorporate Bluetooth into the BMS so owners, technicians and fleet operators can check battery health from a phone instead of physically opening the battery casing. It’s a convenience feature: see charge level, cycle count, temperature, all from an app, without any tools.

One of such an app is named BAT-BMS, app at the centre of the viral videos is one such tool. However, several other similar apps are also being used. It was built by Chinese company Shenzhen Grenergy Technology primarily for solar and off-grid battery systems, not specifically for the vehicles. It just happens to be compatible with the same type of BMS chip that many e-rickshaw batteries use.

Where it goes wrong

Here’s the actual vulnerability: to keep costs down, a large number of these budget battery units are shipped, sold, and installed without ever setting a password on that Bluetooth connection. E-rickshaws are made in India by a large number of local units, and such manufacturers skipped adding proper security features like encryption or password protection on these Bluetooth links while buying BMS units in bulk from China. Dealers rarely configure it, and drivers are almost never told it exists. The result is a battery quietly broadcasting itself over Bluetooth, wide open, to any phone within roughly 15 metres running a compatible app.

This is a classic case of a consumer product cutting corners on security for convenience and price.

So when someone in these viral videos “hacks” an e-rickshaw, what’s really happening is this: their phone finds an unsecured battery management system nearby, connects to it because nothing was stopping it from connecting, and sends the same shutdown command a technician would use for legitimate maintenance. It isn’t bypassing encryption or breaking into a system. It’s walking through a door that was never given a lock.

Notably, the Union Government has already ordered the removal of apps like BAT-BMS and Epoch Li-ion from app stores after their widespread use to disable e-rickshaws remotely. After the videos went viral, BAT-BMS was updated to require a password from the vehicle’s owner to control it. But other apps continued to allow control without permission.

Why “EVM Hack” Doesn’t Follow

This is where the argument falls apart, and it’s worth being precise about why, rather than just dismissing it. EVMs are built on a fundamentally different principle. India’s Electronic Voting Machines are standalone units. They have no Bluetooth, no Infrared, no Wi-Fi, no internet connectivity, and no wireless radio of any kind. This isn’t an oversight; it’s the entire design philosophy. An EVM cannot be remotely accessed because remote access was deliberately engineered out of it from the start. There is no equivalent of the “unlocked Bluetooth door” to walk through, because there is no door at all.

The hardware itself does not even have the ports or chips needed for such wireless communication, which means there is simply no way for someone to reach them through a phone app or any remote method.

There is a reason why EVM votes are counted by viewing the numbers on each EVM, and adding them, because the data from EVM can’t be read from any external device.

Any attempt to tamper with an EVM would require physically opening the machine and making changes inside it. Even this route is blocked by strong election protocols followed by the Election Commission of India. Before every election, the machines go through multiple rounds of checks, including mock polls conducted openly in front of agents from all contesting candidates. Once the machines are sealed and taken to the polling stations, they remain under constant watch by polling agents who represent different candidates.

During counting as well, party representatives are present at every step, and the machines stay sealed until the very end. Any sign of physical interference would be spotted immediately, leading to rejection of that machine’s results and possible legal action. These layered safeguards have been in place for years and have been upheld by the Supreme Court multiple times after detailed examinations.

Trying to say that a vulnerability in a cheap vehicle’s Bluetooth battery module somehow proves EVMs can also be hacked is like arguing that because a bicycle lock can be picked with a simple screwdriver, therefore a bank vault can also be opened with a similar screwdriver.

A weak lock on one product says nothing about a different product with no lock to test. The e-rickshaw vulnerability exists because a specific category of budget battery control hardware shipped with a wireless feature left unsecured. Drawing a line from that to EVMs requires treating “electronic” as if it’s a single, uniform category where a flaw anywhere implies a flaw everywhere. It isn’t. A smart bulb, a laptop, and a pacemaker are all “electronic,” but a vulnerability in one tells you nothing about the others unless they share the actual attack surface: the specific wireless interface, protocol, or access point that was exploited. EVMs simply don’t share the one that failed here.

This is a familiar pattern, not a new one. Every time a viral tech story breaks, a phone hack, a Bluetooth flaw, a data leak, a segment of social media treats it as fresh ammunition for a pre-existing belief, regardless of whether the technical details have anything in common. It’s not really an argument about EVMs at all. It’s an existing narrative looking for its next hook, and the e-rickshaw story happened to be trending at the right moment. The reasoning doesn’t start from the evidence and arrive at a conclusion; it starts from the conclusion and goes looking for evidence that sounds vaguely similar.

That’s the real pattern worth calling out – not just the specific claim, but the habit of reaching for “if X can be hacked, so can Y” without checking whether X and Y share anything beyond both being electronic. It’s a rhetorical shortcut, not an investigation.

Join OpIndia's official WhatsApp channel

  Support Us  

For likes of 'The Wire' who consider 'nationalism' a bad word, there is never paucity of funds. They have a well-oiled international ecosystem that keeps their business running. We need your support to fight them. Please contribute whatever you can afford

Related Articles

Trending now

- Advertisement -