CLAT-2027 Blog

E-Rickshaw Bluetooth BMS Hack: IT Act Section 69A, App Bans, and the IoT Cybersecurity Challenge





E-Rickshaw Bluetooth BMS Hack: IT Act Section 69A, App Bans, and IoT Cybersecurity | CLAT Gurukul

E-Rickshaw Bluetooth BMS Hack: IT Act Section 69A, App Bans, and the IoT Cybersecurity Challenge

In a striking illustration of how digital vulnerabilities can translate into physical harm on Indian streets, the Union Government directed Apple and Google to remove at least seven battery-management applications from their respective app stores after reports emerged that these apps were being exploited to remotely disable e-rickshaws through their Bluetooth-connected Battery Management Systems (BMS). The order, issued by the Ministry of Electronics and Information Technology under IT Minister Ashwini Vaishnaw, deployed the government’s emergency content-blocking power under Section 69A of the Information Technology Act, 2000. The episode has broader implications for cybersecurity law, intermediary liability, IoT regulation, and the vulnerability of India’s rapidly expanding electric-vehicle ecosystem — all themes that CLAT examiners treat as prime analytical passage material.

The apps named in reports include BAT-BMS, Lossigy, Epoch Li, and Smart BMS, all of Chinese origin. Delhi Police initiated an inquiry into the incidents. Drivers reported daily earnings falling from approximately ₹1,000 to ₹600 as their vehicles were remotely disabled, depriving them of livelihoods. At the centre of the technical controversy is the BMS — an electronic component so central to electric-vehicle safety that compromising it can render a vehicle completely inoperable, or worse, create battery hazards.

Understanding the Battery Management System (BMS)

A Battery Management System is the electronic “brain” of a lithium-ion battery pack. It continuously monitors the battery’s state of charge, voltage levels, temperature, and charging/discharging rates, protecting the cells from conditions — such as overcharging or deep discharge — that can cause permanent damage or thermal runaway (fire). In e-rickshaws, which operate on relatively affordable lithium-ion packs, the BMS is a safety-critical component. Without a functional BMS, the vehicle cannot operate.

Want structured CLAT preparation? Try our free 5-day Bodh Demo Course with live classes and expert guidance. Start Free →

Many low-cost BMS units — particularly those manufactured for the budget end of the Chinese market and imported for Indian e-rickshaws — ship with a Bluetooth Low Energy (BLE) interface that allows the operator or a service technician to connect via a smartphone app within approximately 15 metres. The app can read battery diagnostics and, depending on the BMS model, modify operating parameters or even cut off battery output entirely. The design intent is legitimate: remote diagnostics reduce maintenance costs. The security flaw is that many of these units ship with weak, default, or even absent authentication, meaning any person with the corresponding app and Bluetooth proximity can pair with the device without the owner’s knowledge or consent.

The Hack: Mechanics and Impact

The reported exploitation is straightforward: a malicious actor, or a competitor with a financial interest in disrupting operations, downloads one of these apps, approaches a parked or stationary e-rickshaw, pairs with its BMS via Bluetooth, and issues a command that cuts off battery power — disabling the vehicle. Because the pairing requires no password, the attack is available to anyone with a smartphone and the right app. The range limitation of approximately 15 metres for BLE means the attacker must be in close physical proximity, but this is easily achievable in crowded urban environments such as e-rickshaw stands, traffic signals, and charging stations.

The consequences for drivers are immediate and economic: a disabled e-rickshaw stranded mid-route means lost fares, potential towing costs, and reputational harm. The wider safety concern is the possibility of a vehicle being disabled in a moving situation, potentially endangering passengers. Delhi Police registered cases and began investigating the organised nature of the disabling incidents — suggesting this may not be random mischief but targeted sabotage of specific operators or areas.

Section 69A of the IT Act: The Blocking Power

The government’s legal instrument for ordering Apple and Google to remove these apps is Section 69A of the Information Technology Act, 2000, inserted by the IT (Amendment) Act, 2008. This provision empowers the Central Government (and any authorised officer) to issue directions to block public access to any information through any computer resource if satisfied that it is necessary in the interest of:

  • The sovereignty and integrity of India;
  • Defence of India;
  • Security of the state;
  • Friendly relations with foreign states;
  • Public order; or
  • For preventing incitement to the commission of any cognisable offence.

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 — commonly called the Blocking Rules — operationalise Section 69A. They require that a Designated Officer examine the request, issue notice to the originator or intermediary where practicable, and forward a recommendation to a Review Committee. However, in cases of emergency, the Designated Officer may issue an interim blocking order without prior notice, subject to post-facto review. Crucially, blocking orders under Section 69A are confidential — the government is not required to publicly disclose them, a feature upheld by the Supreme Court in Shreya Singhal v. Union of India (2015) subject to procedural safeguards.

In the e-rickshaw case, the rationale for invoking 69A appears to rest on public order and possibly the security of the state — the apps were enabling disruption of transportation infrastructure and causing economic harm to a class of urban workers. Whether the “national security” framing is fully apt for a commercially motivated attack on e-rickshaws has been a matter of commentary, but the government’s broad discretion under 69A gives it legal cover for emergency removals even when the threat is primarily economic and local.

Section 79 and Intermediary Liability

The direction to Apple and Google invokes their status as intermediaries under the IT Act. Section 79 provides a safe harbour to intermediaries — they are not liable for third-party content hosted on their platforms provided they observe due diligence and remove unlawful content upon receiving actual knowledge or a government order. The corollary is that once the government issues a valid takedown direction under Section 69A, compliance is mandatory; failure to comply exposes the intermediary to liability. This creates the enforcement mechanism: Apple and Google must remove the listed apps or risk liability for facilitating the harm.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021) further elaborate due-diligence obligations on platforms, requiring them to appoint Grievance Officers, Nodal Contact Persons, and (for significant social-media intermediaries) Chief Compliance Officers resident in India. These rules are frequently tested in CLAT passages as they represent the most detailed regulation of digital platforms in Indian law.

CERT-In and Critical Information Infrastructure

CERT-In (the Indian Computer Emergency Response Team), established under Section 70B of the IT Act, is India’s national nodal agency for cybersecurity incident response. It issues advisories, coordinates vulnerability disclosure, and in cases of critical infrastructure compromise, can direct organisations to respond. The BMS hack implicates Critical Information Infrastructure (CII) considerations: Section 70 of the IT Act designates computer resources whose incapacitation or destruction would have a debilitating impact on national security or the economy as Protected Systems. While individual e-rickshaw BMS units are not themselves designated CII, the systemic exploitation of thousands of such units across a city’s transport network crosses into infrastructure-disruption territory.

The incident also highlights a regulatory gap: India’s cybersecurity framework — strong for IT networks and data systems — has not yet developed equivalent mandatory standards for Internet of Things (IoT) devices embedded in vehicles, healthcare equipment, or industrial machinery. The absence of mandatory BLE authentication standards for vehicle BMS is a gap that this episode has placed squarely on the policy agenda.

The Digital Personal Data Protection Act, 2023

A parallel dimension is data privacy. BMS apps that connect to battery controllers may also transmit location data, usage patterns, and device identifiers back to servers — potentially servers located in China. The Digital Personal Data Protection (DPDP) Act, 2023, India’s landmark data protection legislation, imposes obligations on Data Fiduciaries (entities that determine the purpose and means of processing personal data) to collect only necessary data, maintain security, and be accountable for breaches. Apps that scrape location or usage data without informed consent would violate these provisions. The cross-border data-transfer concern — that data flows to Chinese servers — further intersects with national security considerations that have driven India’s app bans since 2020 under Section 69A.

Supply-Chain Security and National Security

The broader context is India’s supply-chain security concern about Chinese-origin electronics. Since 2020, the government has banned hundreds of Chinese apps — most prominently TikTok, WeChat, and PUBG — citing data security and sovereignty grounds. The BMS episode represents an evolution in this concern: the threat is no longer merely a data-harvesting app on a user’s phone but hardware-embedded software controlling a physical device. This is the definitional challenge of IoT security: when software controls physical infrastructure, a cybersecurity vulnerability becomes a physical safety hazard. India’s approach — retroactive app bans after harm is documented — is being scrutinised as insufficient; commentators argue for ex ante certification requirements for IoT components used in transport, healthcare, and energy sectors.

Why This Matters for CLAT

  • Section 69A mechanics: The procedure, grounds, confidentiality, and Review Committee requirement under the Blocking Rules are frequently tested in GK and in comprehension passages on digital rights.
  • Intermediary liability: The distinction between Section 79’s safe harbour and the duty to comply with government orders under 69A is a nuanced legal point that examiners use to test comprehension of IT law.
  • IoT and emerging technology law: CLAT passages increasingly use technology-law scenarios; understanding BMS, BLE, and the physical consequences of cybersecurity failures provides the analytical vocabulary needed to engage with such passages.
  • DPDP Act 2023: India’s new data-protection law is high-probability current-affairs GK; its intersection with app bans and Chinese-origin hardware connects to multiple live controversies.
  • Supply-chain and national security: The geopolitical dimension — Chinese-origin software disabling Indian workers’ vehicles — links to India’s broader economic sovereignty narrative, a recurring legal-policy theme in CLAT reading comprehension.

Conclusion

The e-rickshaw BMS hack is not a minor cybersecurity curiosity — it is a case study in how physical vulnerability, regulatory gaps, supply-chain risks, and legal enforcement intersect in modern India. The government’s use of Section 69A to force Apple and Google to delist seven apps is legally significant: it demonstrates that the IT Act’s blocking power extends beyond social-media speech to commercial infrastructure apps that enable real-world harm. For India’s three-million-strong e-rickshaw community — predominantly low-income workers dependent on daily earnings — the episode underscores that digital infrastructure is now inseparable from economic security. For policymakers, it is an urgent signal that India’s cybersecurity regulatory architecture must extend mandatory security standards to the IoT layer before the next incident moves from disabled rickshaws to disrupted power grids or hospital equipment. For the CLAT aspirant, it is a richly layered scenario — touching the IT Act, the DPDP Act, intermediary liability, IoT law, and national security — that rewards careful, doctrinal reading.


Test Yourself — Daily Quiz

Practice Quiz — 10 CLAT-Style Questions

Click an option to reveal the answer and explanation.

Share this article
Test User
Written by Test User

Ready to Crack CLAT?

This article covers just one topic. Our courses cover the entire CLAT syllabus with 500+ hours of live classes, 10,000+ practice questions, and personal mentorship from top faculty.

500+Hours of Classes
10,000+Practice Questions
50+Mock Tests
Start your CLAT prep with a free 5-day demo course Start Free Trial →