- Security Design Vulnerability: The app allowed access to the BMS passive cell balancing and discharge control FETs without verifying passwords after the default PIN pairing.
- India Ban Action: India's Ministry of Electronics (MeitY) withdrew the application from the local Google Play Store in July 2026 to protect commercial e-rickshaw fleets from remote immobilization threats.
- Official Firmware Patch: Shenzhen Grenergy released hardware firmware v3.3.0 introducing mandatory password protection and cryptographic handshake protocols for administrative controls.
Table of Contents
- 1. Incident Background: The July 2026 MeitY Action
- 2. Technical Analysis of the Security Flaw
- 3. Timeline of Events
- 4. Shenzhen Grenergy's Security Patches
- 5. Actionable Advice for Affected Fleet Owners
- 6. Sources & References
1. Incident Background: The July 2026 MeitY Action
In July 2026, the Ministry of Electronics and Information Technology (MeitY) of India flagged and subsequently withdrew the BatBMS application from the Google Play Store in the country. The action followed reports from cybersecurity researchers who demonstrated that the app's standard Bluetooth Low Energy (BLE) control protocol was susceptible to remote intrusion. The primary concern was the potential risk to electric rickshaw fleets, which could be turned off remotely by an unauthorized user nearby.
2. Technical Analysis of the Security Flaw
The core design vulnerability resided in the administrative command execution path. While the initial BLE handshake prompted the user for a standard 4-digit PIN (typically default values like 1234 or 0000), once paired, the app did not enforce secondary password checks for destructive commands. Specifically, commands that toggle the state of the charge/discharge MOSFETs or re-write balancing thresholds were accepted in plain text over the air.
3. Timeline of Events
4. Shenzhen Grenergy's Security Patches
Following the public audit, Shenzhen Grenergy introduced a critical update to their BLE stack. In firmware versions 3.3.0 and above, a challenge-response authentication protocol is mandatory before the BMS board executes any FET-switching commands. Even if a smartphone succeeds in Bluetooth pairing, it must provide a secondary customized user security key stored securely on the MCU's non-volatile memory.
5. Actionable Advice for Affected Fleet Owners
If you are an operator or battery fleet technician using compatible Grenergy BMS boards, follow these safety guidelines:
- Update App to Latest Version: Download verified v3.2.2 or higher packages directly from authorized developer channels.
- Apply MCU Firmware Patch: Re-flash the board to firmware v3.3.0 to protect parameters.
- Modify Default Pairing PIN: Immediately change the factory defaults (
1234) to a custom sequence.
Frequently Asked Questions
Only if the attacker has successfully paired with your Bluetooth transceiver and issues a manual discharge FET disable command. Upgrading firmware to v3.3.0 prevents this threat completely.
You can use generalized opensource utilities like Xiaoxiang BMS if your hardware implements similar serial transceivers, or wait for the audited official app release.
6. Sources & References
- MeitY Security Advisories and Fleet Directives (MeitY.gov.in Archive)
- Shenzhen Grenergy v3.3.x MCU Protocol documentation
- "BLE IoT Protocol Vulnerability Audits", Journal of Embedded Security Systems, 2026.