Business

    The 'Tirri' Tech Vulnerability: Why Your E-Rickshaw Battery Isn't Secure

    A surge in viral incidents has exposed a critical design flaw in low-cost electric vehicle batteries, allowing unauthorized access via unencrypted Bluetooth. As MeitY steps in, we break down why your e-rickshaw's battery management system might be wide open to exploitation.

    Blurred E-Rickshaw during morning commute in Delhi with sunlight filtering through trees.

    Photo by panumas nikhomkhai on Pexels

    The 'Tirri' Tech Vulnerability: Why Your E-Rickshaw Battery Isn't Secure

    For thousands of e-rickshaw drivers across Delhi-NCR, the morning commute has recently become a game of digital Russian roulette. Videos surfacing on social media show vehicles coming to a dead stop mid-transit, leaving drivers stranded and passengers confused. While viral clips have framed this as a terrifying wave of "remote hacking," the reality is far more mundane—and arguably more dangerous. It is a catastrophic failure of hardware security that has exposed the precarious nature of our rapidly expanding, low-cost EV ecosystem.

    The Anatomy of a Shutdown: It's Not 'Hacking'

    The term "hack" implies a sophisticated breach of encrypted systems. What we are witnessing with the so-called "Tirri" vulnerability is actually the exploitation of an open door. The issue lies within the Battery Management System (BMS)—the "brain" of an EV battery—which monitors cell health and controls power output.

    Many budget e-rickshaw batteries utilize generic BMS protocols like JBD or XiaoXiang. In a bid to cut costs, manufacturers are shipping these units with identical, hardcoded factory passwords such as 'J1B2D4'. Because these batteries lack basic security handshakes, anyone with a common diagnostic app can pair with the device via Bluetooth and send a 'discharge off' command to the internal MOSFETs, effectively cutting power to the motor.

    Diagram showing battery, BMS, and Bluetooth module connection vulnerabilities.
    A breakdown of how the Bluetooth signal bypasses BMS security to trigger the MOSFET and kill the motor.
    "

    "Chinese app BAT-BMS sparks panic by remotely shutting off e-rickshaws & scooters via Bluetooth on their batteries.💀 https://t.co/oeyG2haBqN" — @gharkekalesh, X

    The Role of Diagnostic Apps: Misuse of Legitimate Tools

    The apps causing the chaos—BAT-BMS, Lossigy, and Epoch—were never designed as malware. They are legitimate tools meant for technicians to monitor cell voltage, temperature, and cycle life. However, because the hardware they interface with has zero barrier to entry, these apps became the perfect weapon for pranksters.

    MeitY (Ministry of Electronics and Information Technology) has moved swiftly, ordering the removal of these apps from digital storefronts. While this addresses the immediate visibility of the tools, it does little to solve the underlying hardware vulnerability. Removing an app is a bandage; the infected "unsecured" batteries remain on the roads, waiting for the next person to download a similar diagnostic utility.

    Fixing the Breach: Hardware Security and the Right to Repair

    The ultimate solution isn't found in a software ban, but in physical intervention. Cybersecurity experts suggest that until firmware updates allow users to rotate their own unique security keys, the safest route is to physically disable the Bluetooth modules on the BMS circuit boards.

    There is a growing call for a 'right-to-repair' framework that mandates a 'reset-to-default' protocol. If vehicle owners were provided with the necessary programming cables, they could replace the factory-set backdoors with individual credentials. The question remains: should OEMs be held liable for shipping insecure infrastructure, or is this a shared responsibility in a market that prioritizes the lowest possible price point?

    The Bigger Picture: Gig-Economy Impact and Regulatory Gaps

    This crisis is hitting the most vulnerable first. For many drivers, a single hour of downtime translates into a significant loss in daily wages. Reports suggest some drivers have seen their daily earnings plummet from Rs 1,000 to Rs 600 due to these interruptions.

    "E-rickshaw drivers in Delhi-NCR say their vehicles are being remotely disabled using Chinese mobile apps, disrupting rides and affecting their earnings. The Centre has ordered the removal of three apps allegedly linked to the misuse, while Delhi Police and the Delhi government investigate the matter" — @the_hindu, X

    While a total ban on Chinese-origin battery systems is often discussed, it is a non-starter given the country’s current dependency on these cost-effective modules. Instead, India needs a robust set of security standards for IoT in public transport. If an electric motor can be stopped by a mobile phone, that device should be legally categorized as a critical security risk.

    Bottom Line: The Takeaway

    The "Tirri" exploit is a wake-up call. As India pushes for mass EV adoption, we cannot afford to treat transportation hardware as "dumb" electronics. Whether it is a government-mandated recall or a shift toward encrypted BMS hardware, the days of "password-less" connectivity in our public transport grid must end immediately. Security should not be a premium feature; in the age of IoT, it is a basic requirement for public safety.

    Business
    Published on 5 July 2026 by Aditya

    Recommended for you