
An app has appeared in India that lets anyone with a smartphone stop a passing e-rickshaw dead in its tracks – no login, no passwords, no permissions needed.
Meanwhile, Geoff – swimming in money and Lamborghinis, as all published authors are – has been on the receiving end of a slew of AI-generated scam pitches from fake book marketing experts. Rather than ignore them, he’s been playing them at their own game…
All this and more in this episode of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Geoff White.
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hello, hello, and welcome to Smashing Security episode 476. My name's Graham Cluley.
Now, you've been a busy chap, haven't you, in the last week or two with your latest — well, do you consider yourself a content creator or does that gag slightly at the back of your throat?
It just sounds a bit clinical, you know, a real person.
But yes, I've been creating content, specifically a new series of what was the Lazarus Heist podcast and has now been renamed Cyber Hack.
We're on season 4 of Cyber Hack now, actually. So just published, which is all about a gang that will be very familiar to you, Graham, the Conti ransomware gang.
It's always irked me that there was this amazing leak of internal chats from Conti.
All the things they typed to each other for two years basically spilled all over the internet, for reasons that we go into in the podcast.
And I'd always sort of wondered — I'd seen people like Brian Krebs had done articles and people had sort of done things with it, but nobody seemed to kind of really do something exciting with it and get to grips with it.
So I thought, well, this is great. The podcast has got an opportunity to go back to those leaks and really mine them.
And I instantly realised why no one had done anything with it really impressive — it's because it's horrible. It's all in Russian. It's hacker slang Russian.
Instead of having the chats though, they chatted to each other, it's just all in one continuous order. It is honestly eye-bleedingly difficult to go through.
I went through 47,000 of the messages before I gave up. I was like, I've done enough. I've done my job. But what you get is amazing.
You get the actual people talking themselves as they were doing the crime, bitching, slagging each other off, talking about their wives, their girlfriends. It's amazing stuff.
It is genuinely amazing.
We'll be hearing about them some more later on in the podcast.
This week on Smashing Security, we won't be talking about how a ransomware negotiator has been jailed after working with hackers to extort clients.
You'll hear no discussion of how users of LastPass and Bitwarden have been targeted with fake security alerts.
And we won't even mention how a German textile firm has filed for insolvency, blaming a ransomware attack which shut down production.
So Geoff, what are you going to be talking about this week?
And what I've been doing back to the scammers.
All this and much more coming up in this episode of Smashing Security.
NordLayer is a network security platform built for businesses. Right.
It's a scary world out there for travelling workers.
But it goes well beyond just encrypting the connection.
You get centralised control over who can access what based on their identity, their device, whether their device is actually compliant.
And if someone leaves the company, you revoke their access immediately.
So if someone on your team has started using some AI tool that your security team hasn't approved—
Use the code NLsummer26 at checkout.
When somebody's been stupid enough to leave their phone unlocked on the desk next to me, I've usually taken a couple of suspect selfies or something, or sent a stupid message to somebody.
Just to remind them that you should lock your phone when it's not attended. That level.
And I thought, well, it kind of makes the point, but at the same time, it's a bit of a dickish move. I don't—
I mean, you could take someone else's phone, you could change their autocorrect settings. So every time they type "regards", it changes it to "love and kisses" or something.
One I heard about is you can take a screenshot of someone's home screen on their phone and set it as their wallpaper.
So their wallpaper is all their icons, and then you move all their apps into a folder on their own. And of course they're clicking on things, thinking, why doesn't this work?
Why, what's wrong with my phone? Is my screen not working?
I tut away and shake my head disapprovingly. It's all very juvenile. You shouldn't fiddle with someone else's phone.
But what if people were to use their own phone to pull a prank on someone else? That is something which has been happening lately in India.
In fact, a few thousand people in India found out in recent weeks that something rather bad has been going on.
And it's been rather worse than changing someone's phone so it rings an alarm at 3 o'clock in the morning and wakes them up.
You know, it's worse than that kind of dirty trick you can do. What they're doing is they're standing on a busy street, right? Imagine the scene.
You're in North India, you're standing on a busy street. Saw the traffic going past. And—
That is a really, really busy street potentially.
Well, something a little bit like that has been going on because there have been people who found that all they need to do is open up an app and then with a single tap, they can stop a stranger's vehicle dead in its tracks as it goes past them.
And they don't need any special privileges. They don't need any special permissions. They don't need to know any passwords or anything like that. You just tap.
And the particular type of vehicle that they have been stopping dead in its tracks is an e-rickshaw. I didn't know that e-rickshaws existed.
It's the same kind of thing. But this is one which is powered by a battery rather than by a little petrol motor. And it's a three-wheeled little vehicle.
And these are really popular in South Asia. They're lightweight. They're not very expensive. They're powered by battery.
And for millions of people across North India, including Delhi and the like, they are part of people's daily commute.
And for the drivers of these vehicles, that is their livelihood.
If their rickshaw isn't running and they don't earn a wage, that means they're not earning any cash, not able to buy any food.
It's pretty serious if someone can stop it dead in its tracks without you expecting it while you're driving along.
Potentially also a safety hazard as well, because if you are going a fair clip on one of these things and it screeches to a halt, because of course, you know, think of what electric motors are like.
It's not like, you know, you're— it's dead. It's not moving any longer. So this is a prank which has emerged.
Teenagers standing near moving e-rickshaws open an app on their smartphone. They remotely cut off the vehicle's power. Suddenly stops.
And may not surprise you to know that a lot of people think this is not something to be universally applauded.
Some people are even saying this is the worst thing to have happened since hoodie-wearing, happy-slapping teenagers started downloading ringtones.
This seems to be the new habit which has emerged, and it's made all possible, Geoff, by an app called BatBMS.
It was actually built for solar panels and marine batteries, off-grid power systems. So if you, for instance, Geoff, I can imagine you going on very glamorous holidays.
And you may have this app because what this app allows you to do is to control its management system via Bluetooth.
So they're running on compatible hardware, same kind of thing which you'll be finding in other places.
And so a perfectly respectable app, which you can use for checking your solar battery storage, can end up being a weapon in the hands of a pedestrian or the person behind you who wants to — gosh, you know, wants to cause your little e-rickshaw to come crashing to a halt in the streets of Delhi.
And you think, well, yeah, I'll need to monitor the battery, and there's probably a little light on the battery somewhere, but it's much easier.
And you can imagine how the person who sold you the battery would say, well, don't worry, there's an app, you can just monitor the batteries on your phone.
And you think, that's great, it's like a dashboard readout of how my battery's doing. I'll install it.
But what they don't tell you is, oh, there's a function there that can kill the battery.
But how are the strangers connecting to someone else's rickshaws' Bluetooth to get to the battery. Is Bluetooth just connectable by anybody?
And then you can just simply scan for nearby batteries and say, which one do you want to connect to?
Well, hopefully not boom, but you've got full access to the control panel and you can instantly disable it.
And the firm that made this battery system, they obviously assumed that whoever was standing near the battery was the person who owned it.
And they thought, well, why would we put a password on it?
I've done a bit of searching on YouTube and Instagram and the like and the TikToks, and lots of people are posting up videos now of this going on.
And some of them are painting it as, I can get revenge now on these rickshaw drivers, 'cause I get fed up, you know, you get fed up with the other rickshaw drivers or how they're driving or whatever.
And so you can stop them in their tracks. And some people are even reportedly paying strangers so that the drivers get stranded, right? They just think, well, what's going on?
I don't understand why my rickshaw keeps conking out.
And they're charging 200-odd rupees or whatever for the fix. But of course, it's them who've actually done the darn thing.
There's a video of one guy, he looks like an elderly chap, he's driving around his little rickshaw, and you see him pushing it by hand for about 3 kilometres in the heat of Delhi.
I guess just for the clicks because people are sharing them and watching them and being outraged by them. All because of an app. An app, Geoff.
The thought that goes to my mind is, if this was the UK, for example, you've got a vehicle on the street, vehicles on the street are under the Highway Code, they're often licensed and regulated.
If there's a component in the vehicles that's that vulnerable, I think that would fall under some kind of UK legislation.
We have UK legislation about default passwords, I'm pretty sure that got passed recently. But immediately I'm thinking India. I mean, for a start, Indian states work differently.
It's a federal, you know, thing. And secondly, from my visits to India, the writ of the government and its legislation enforcement does not run very far.
So the idea of regulating all the rickshaw drivers, I don't know legally where you'd — and to be honest, I don't think anyone's got any legal comeback on anybody for this.
It just seems like one of those grey areas.
There is some sort of computing device in there which is managing the battery, and anyone accessing it without the permission and knowledge of the owner of that device is committing an offence.
So technically it is a crime, so we have to do our tut-tutting. Yes.
And the Chinese makers of this battery system have apparently pushed down an update which patches the app, and now requires a password to be entered to access the battery.
Now the problem is, the firmware on the rickshaws, on their batteries — how's that going to get updated?
And are people going to know to update it so that it requires the password? So it's all very well updating the app.
And by the way, in order to communicate with your battery, plug in the battery and upload the — can you do something like that? I don't know.
And, you know, is this going to cause us more support queries? I don't know if it's going to happen or not. The good news is not all e-rickshaws are affected.
If anyone out there has even called Eric — yes, if we have an Eric Shaw listening.
They've just published a new report, 2026 State of the Cybersecurity Attack Surface, and they analysed over 800,000 real IT assets to find out how exposed organisations actually are.
Nobody added him, nobody removed him, and he's been quietly in there for 11 years downloading maps of Paraguay.
That's the path of least resistance.
And the report is free to download.
And please keep an eye on your IT assets and retired geography teachers.
As you know, Graham, I am an internationally renowned author with a string of immensely successful books to my name. Which means, of course, I am swimming in money.
No, obviously this is all — look, I've written 3 books and they've done pretty well by all standards.
But if you buy a copy of my paperback book for like 7 or 8 quid on Amazon, I think I maybe get about 50p, 70p, something like that.
So, you know, you really would not make a lot of money, which is why it's been intriguing over the last few months to start receiving message upon message upon message from book marketing experts as they declare themselves.
And they're really interesting because they all kind of run to a pattern. Emails are clearly AI-generated because there's loads of it.
I think one of the giveaways now with AI-generated messages is nobody writes that much, you know?
And it starts out with, "Geoff White, your books deal with the intersection of organised crime and technology.
You have covered fraud and money laundering and stuff." And I'm like, yeah, I know, because I wrote them. I wrote that blurb.
And they say, "But Geoff, you're missing out on a huge audience of people.
And we book marketing experts can, you know, link you in with this as well." So I did go back to one of these people at one stage and sort of said, well, what does this sort of involve?
The reply to my messages again was so painfully AI-generated.
It's one of my favourite questions to answer." And basically it was a kind of stage one, pay us $500, we'll do a book competition marketplace analysis.
They're basically trying to escalate you up. Now, reading around this, I wouldn't say this is necessarily a scam per se.
Some of it is just shoddy, you know, you're getting just bad service, crap service, and you're paying through the nose for it.
Which already makes me think, why have they identified authors for this? We don't have a lot of money, you know.
But interestingly, when I asked what titles this person had worked with, they gave me a whole bunch of Kickstarter titles, you know, authors who've gone on Kickstarter.
And I think on Kickstarter, some authors maybe do have the idea that if you pay for marketing, you'll somehow sell loads of books and be the next Dan Brown or whatever, you know.
Anyway, I started seeing these coming through and I found them quite intriguing. And then one of them got in touch with me and said, "My name is Robert.
I run the London Wine and Dine Book Club."
Meanwhile, I found the real London Wine and Dine Book Club, which is a real book club and does exist and is run by a man called Robert.
I have nothing to do with this whatsoever." So I went back to Fake Robert and said, you know, how does this book club opportunity sort of work?
And Fake Robert said, well, what I do is I organise a Zoom meeting with all of my thousands of members and you appear on the Zoom meeting and you can talk about your book and then I will buy your book.
And I said, "Oh, right. Will you be at this Zoom meeting? Are you asking the questions?" And Fake Robert said yes.
Now, frustratingly, what I wanted to do was obviously not pay them before this happened.
You know, "I'm a Nigerian prince, I've got a million pounds. I need to get out the country.
If you can pay me $1,000, I will get the money out and I'll pay you." I mean, these are literally hundreds of years old, these scams. So this is an advance fee scam.
They want money up front and then they're gonna give me the Zoom session later on.
What I wanted to do was try and egg them along and see if I could nail them to do the Zoom session before paying them money.
Have you got another way that I can pay you?" And so they came back and I kept delaying it, delaying it till the Zoom meeting got closer and closer.
Frustratingly, I said, "Look, let's just do the Zoom session. I'll pay you afterwards." Right.
And they said, "No, there's a whole bunch of preparation we have to do for this Zoom meeting." So they'd sussed out they shouldn't do the Zoom meeting before they got the money.
However, there is a sort of postscript to this, which is quite intriguing. They have so far given me no less than 5 different bank accounts and payment methods, right, to pay them.
All of which, of course, I have prima facie evidence, are being used to launder the money from a fraud. Clear evidence they're not the London Wine and Dime Box Club.
And therefore, my next step, obviously, is to go and report each of these accounts to the relevant banks and get them shut down in connection with money laundering.
I then intend to contact fake Robert and say, "Did you Google me before you got in touch with me to find out the stuff that I do?" 'Cause I'm pretty sure Robert is going to shit his pants — fuck off.
Sorry, you'll have to bleep that out, but I just hate people like this.
This poor guy, Robert — he set up this book club and now his good name and his — I've met Robert, we met face to face in London.
I met the book club members and their name is now being used by some slummy scammer to defraud book authors.
I hate all of this and the more pain I can cause this person, the better. So for listeners, please watch out for my post on LinkedIn.
If you're connected to one of the banks or know someone at one of the banks that I post, 'cause I'll be posting the names of them.
Let me know who's in the fraud department or the AML department so I can get these accounts shut down so we can at least cause this guy some pain.
And again, I've done the same thing, but this time I said to them at the beginning, "Have you Googled me? Do you know who I am and what I do?
And are you confident you want to give me your payment details?" They came straight back with a bank account and I've gone back and said, "I need another one," and I will keep rinsing them for bank account after bank account.
I know I can't stop the problem. I know it's a Sisyphean task, but damn it, if just to cause them a bit of pain and make their day worse, I just can't resist.
That's V-A-N-T-A.com/smashing. And listeners, you can get $1,000 off.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my Pick of the Week this week is not security-related.
My Pick of the Week this week is a little gadget which I have in my office. You know, I'm kind of against all this IoT stuff, Geoff, you know.
Well, yes, I am a bit of a late adopter, but I found it rather useful. So I have a nice-ish DSLR camera, right?
Which I use as my webcam, which is back there somewhere, behind this screen. That's fabulous, but it's all the way back there.
And to try and turn it on and off, I've got to find the little on/off button.
And when I try and hit it on the camera, I inevitably change the zoom or I fiddle around with it or I knock it so it's no longer pointing in the right direction, which meant that I was just leaving my camera on all the time and it was plugged into the mains or whatever, but it was just always on.
And then I thought, well, I don't want my camera on all the time. That's not a very good idea for a security professional, is it? Precisely.
And so I thought, oh, what I'll do is I'll have a smart plug which I can programmatically turn on and off.
And so I did a little bit of vibe coding with the old AI, and I wrote myself a little tool which can turn that plug on and off again.
I've got a little thing in my menu bar and it's flashing a red camera icon in my menu bar at the moment, which says, your camera is on, Graham. And I can just flick it off again.
So with the smart plug, I can control this device and I've found it quite handy. So I've actually found a use for it. Whereas normally I think, who needs a smart plug?
But actually, yeah, it's something that's been useful to me. And so that is my pick of the week. It is from Tapo. Others are available.
I'm sure it didn't cost very much money, but it was actually really the coding — it was doing all the work with the bits of string and the pipe cleaner.
That was the fascinating bit, actually getting the code to work properly.
With a lot of help from AI to do the coding for me, to programmatically get it to work efficiently and effectively and reliably as well.
I was on OnlyFans with it, I had a couple of other platforms, and now the well has run dry.
And oh, it's just brilliant when you have time off, because I got up in the morning, had a crumpet and a cup of tea, and I sat on the sofa with my little niece watching satisfying videos on YouTube.
Have you come across these, the satisfying videos?
It goes over into sort of slime and gunk videos because some of it's about people digging their hands into slime or making slime.
There's a whole rug cleaning YouTube culture where people get rugs that are dirty and then clean them with things.
And then there's this whole other meta layer where there are people who have entire YouTube careers commenting on other people's YouTube videos of cleaning rugs.
We are just through the rabbit hole, but I gotta say, it's a hell of a way to spend 3 hours in the morning. It's really, really great.
I can't believe that I didn't do that.
I'm sure lots of our listeners would love to follow you and find out what you're up to — what is the best way for them to do that?
And don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts — for episode show notes, sponsorship info, and the back catalog of 476 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye. You've been listening to Smashing Security with me, Graham Cluley. Huge thanks, of course, to Geoff White for joining us this week.
Marvellous stuff as always. Thank you, Geoff. And also big thanks as well to this episode's sponsors, Arctic Wolf, NordLayer, and Vanta.
And also to the following fine folks who are amongst our fantastic Smashing Security patrons. So big cheers go to Saitel, Andrew Davison, Lisa.
Thank you to Robert Øjdegård — his surname looks like it was assembled by someone who really wanted to use up all their vowels.
Robert Martin, proof that you can have two Roberts in a shout-out, both equally appreciated.
Huge thanks also to Scotia, Greg Bailey, Christof Goossens, and final one for this week, Bravo Whiskey. We salute you in whatever phonetic alphabet you prefer.
Those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free, earlier than the general public as well, by a couple of days, and they can have their names pulled out at random to be mercilessly mocked at the end of the show.
If you fancy a bit of that, just head over to smashingsecurity.com/plus for all the details where you can become a patron.
And there are other ways you can support the show as well, of course. Like you can, well, like the podcast, subscribe, leave a 5-star review — go on, why don't you do it?
I know I say this every week, but it really does make a big difference. And tell your friends about the podcast as well. Go on, spread the word.
The more people who listen, the more encouraged we will be to get up to number 500. Not too far off, are we? So until next week, thanks for tuning in.
Until next time, toodaloo, bye-bye.
Host:
Graham Cluley:
Guest:
Geoff White:
Episode links:
- The ransomware negotiator who was working for the other side – Hot for Security.
- LastPass, Bitwarden users targeted with fake security alerts – Bleeping Computer.
- German firm files for insolvency, blames cybercrims who shut down production for 6 weeks – The Register.
- BAT-BMS App: How A Chinese App Is Being Used To Hack E-Rickshaws All Over India; Viral Videos Show Drivers Crying Over Lost Earnings – Free Press Journal.
- Tirri control prank: Indians use China app to shut down e-rickshaws – The Print.
- Geoff describes his interactions with a book marketing scam – Linkedin.
- Smart Plugs – Tapo.
- Worst Patio Ever! Extreme ASMR Pressure Washing – YouTube.
- 20 Years of Cracked Mud Covered This Massive Rug – YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Arctic Wolf – See why 1 in 3 IT assets is missing a critical security control. Download the 2026 State of the Cybersecurity Attack Surface report.
- NordLayer – the network security platform for modern teams across different work environments. Use code NLSUMMER26 for up to 20% off annual plans.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.


