In a swift intervention to protect public safety and the livelihoods of transit workers, the Union Ministry of Electronics and Information Technology (MeitY) has ordered the immediate removal of three Chinese smartphone applications—BAT-BMS, Lossigy, and Epoch-i-ion—from the Google Play Store and Apple App Store.

The regulatory crackdown follows a bizarre and dangerous viral trend on social media where miscreants used the applications to wirelessly hack into and remotely disable moving electric rickshaws (e-rickshaws), leaving drivers stranded and causing traffic chaos.

1. The Exploit: Zero-Authentication Bluetooth Vulnerabilities

The controversy erupted after videos surfaced across X, Instagram, and YouTube showing individuals playing “pranks” by connecting to nearby e-rickshaws and shutting off their power output.

The security vulnerability is rooted in the cheap, mass-market infrastructure utilized by the low-cost EV sector:

  • Open Bluetooth Configurations: Many budget e-rickshaws deployed in India use imported Chinese-manufactured Battery Management Systems (BMS) to monitor voltage and temperature. These systems were built with virtually no localized security layers or encrypted handshakes.
  • The Remote “Kill Switch”: The banned applications were originally developed as legitimate utility tools to diagnose battery health. However, because the vehicles’ Bluetooth settings require no password or secondary pin authentication, anyone within a fixed-meter range could pair with the battery and toggle the “discharge” switch, instantly cutting the vehicle’s power.
 [ THE E-RICKSHAW BLUETOOTH EXPLOIT ]
 
  Miscreant App Scan ──► Detects Open, Unencrypted Bluetooth BMS Signal (No Password Required)
                                                    │
                                                    ▼ 
  Wireless Handshake  ──► Attacker Connects Dynamically Within a 10-20 Meter Radius
                                                    │
                                                    ▼ 
  The "Kill Command"  ──► App Toggles Battery Discharge Off ──► Vehicle Stalls Instantly Mid-Transit

2. Immediate Enforcement & Investigations

The issue quickly escalated from a public nuisance to a serious law-enforcement and national cybersecurity threat. While a live demonstration at a premier automotive showroom confirmed that full-scale electric passenger cars are entirely safe due to their encrypted, closed-loop architectures, the vulnerability of the informal transit sector prompted multi-layered government action:

  • MeitY Takedown Mandate: Speaking at a cybersecurity summit, IT Secretary S. Krishnan confirmed that the applications were flagged and wiped from digital storefronts within 24 hours. The ministry explicitly warned app stores that they must strengthen their due diligence pipelines to prevent harmful control-layer software from being distributed passively.
  • Delhi Transport Inspection: Delhi Transport Minister Pankaj Singh directed the state transport department and specialized cyber cells to verify the scale of the hardware vulnerabilities and inspect unbranded lithium-battery assemblies across local charging hubs.
  • Extortion Arrests: The threat moved beyond internet pranks in cities like Ujjain, where local police arrested an individual who was weaponizing the application to systematically stall e-rickshaws mid-delivery and extort money from vulnerable drivers to turn their vehicles back on.

3. The Broader EV Supply Chain Wake-Up Call

The incident exposes a deep, structural vulnerability within India’s hyper-expanding electric vehicle ecosystem. While India has successfully localized the structural chassis assembly of micro-mobility vehicles, the deep digital brains powering them remain deeply dependent on cheap, unvetted foreign components:

System LayerPre-Incident Low-Cost ApproachThe Necessary Post-Incident Shift
BMS AuthenticationCompletely open, visible Bluetooth broadcasts with zero factory password barriers.Mandatory secure pairing protocols via unique QR code or physical button handshakes.
Component SourcingHigh reliance on grey-market, unbranded Chinese firmware modules lacking software update paths.Transitioning toward local, PLI-backed electronics suppliers running secure, signed firmware.
Cybersecurity AuditingMinimal regulatory vetting for low-speed vehicles under 25 km/h.Introducing baseline software security certifications for all commercial passenger carrier batteries.

Ultimately, while pulling BAT-BMS, Lossigy, and Epoch-i-ion from mainstream storefronts limits immediate copycat behavior, the incident highlights an urgent engineering lesson for the EV era: if a battery management system is smart enough to connect to the internet or a smartphone, it must be secure enough to defend itself against the open street.