Government Cracks Down on Apps Allowing Remote Hijacking of E-Rickshaws
IR SUMMARY — KEY POINTS
- The Indian government has ordered the immediate removal of three mobile applications after they were exploited to remotely disable e-rickshaws across various cities.
- The controversy centers on the BAT-BMS, Losiji, and Epoch Li-ion applications which facilitated unauthorized access to vehicle power systems via unsecured Bluetooth connections.
- Viral social media videos showed individuals using these tools to stop moving vehicles, prompting severe concerns regarding public safety and cybersecurity vulnerabilities.
- Cybersecurity experts from firms like Cyble warn that the incident reflects a broader systemic failure to integrate robust security protocols into electric mobility hardware.
- The Ministry of Electronics and Information Technology has initiated a probe as authorities urge manufacturers to implement mandatory password protection for battery management systems.
The Indian government has officially moved to neutralize a growing digital threat targeting the nation's burgeoning electric vehicle sector after reports confirmed that several mobile applications were being misused to disable e-rickshaws remotely. By targeting specific software known as BAT-BMS, Losiji, and Epoch Li-ion, officials aim to curtail a dangerous trend where vehicles were being shut down mid-transit by unauthorized users. The vulnerability primarily affected low-cost lithium-ion battery packs that lacked basic security encryption, effectively turning thousands of public transport vehicles into targets for malicious interference and reckless pranks.
Security Flaws in Battery Management
The core of the issue lies in the design of the Battery Management System, an internal component responsible for monitoring voltage, temperature, and overall health of the vehicle's power source. Manufacturers of these budget-friendly battery packs neglected to implement password-protected Bluetooth pairing, leaving a communication window open to anyone within a 15-meter range. This design flaw allowed individuals with the correct application to bridge the connection to the vehicle’s main power controller, giving them the ability to toggle the power output on or off at will.
Social media platforms were flooded with viral footage dubbed the Tirri Trend, which showcased pranksters successfully bringing unsuspecting e-rickshaws to a complete halt in the middle of busy traffic. While these clips were shared primarily for entertainment value, the underlying reality presents a grave danger to commuters and drivers alike. Bringing a vehicle to a sudden, unexpected stop in a high-speed traffic environment risks multi-vehicle pile-ups and serious injuries, transforming a technological oversight into a potential public safety crisis that necessitated immediate state intervention.
The vulnerability is limited to lithium-ion batteries that utilize Bluetooth connections without basic password protection for the management system.
Digital Pranks Endanger Public Safety
Cybersecurity analysts suggest that this incident serves as a critical wake-up call for the entire electric mobility ecosystem as it rapidly shifts toward digitization. According to industry experts, the rush to market affordable electric transport options often results in the corner-cutting of essential digital safety features that would be standard in passenger cars or heavy-duty industrial machinery. Without mandatory security standards enforced at the hardware level, the integration of connected diagnostic tools will continue to create exploitable backdoors for bad actors seeking to disrupt transportation infrastructure.
Development of the software in question is largely traced to firms like Shenzhen Grenergy Technology, which designed the interfaces to help owners track real-time battery performance. While these tools offer genuine utility for maintenance and efficiency tracking, the lack of authentication protocols meant that the convenience of remote management was weaponized against the very people it was intended to serve. The government's decision to pressure major app stores to remove these listings is a tactical move to contain the immediate damage while investigations into the supply chain continue.
Systemic Failures in Electric Mobility
This crackdown has reignited a nationwide debate regarding the regulatory requirements for unbranded components that power the informal transport sector. While established automotive brands utilize sophisticated encryption that renders such unauthorized Bluetooth access impossible, the unorganized market relies heavily on these cheaper, insecure alternatives. Policymakers are now facing pressure to establish stringent quality control protocols that mandate secure, encrypted communication modules for all electric vehicle parts imported or manufactured within the country to prevent future remote access incidents.
Unsecured battery management systems allow unauthorized users to shut down e-rickshaws from a distance of up to 15 meters.
In response to the government directive, major digital marketplaces are in the process of auditing their listings to ensure the identified applications are no longer accessible to the public. However, authorities are cautious, acknowledging that removing apps is merely a temporary patch for a hardware-level vulnerability that already exists in thousands of active vehicles. The focus is now shifting toward informing drivers about the risks and encouraging them to seek technical updates or hardware modifications that can lock down their Bluetooth connections against unauthorized pairing attempts.
Regulating Hardware for Future Security
Looking forward, the incident is likely to trigger a comprehensive overhaul of how smart mobility hardware is vetted before reaching the Indian consumer. Regulators are expected to push for stricter compliance for battery management modules, potentially banning the sale of any hardware that fails to meet minimum cybersecurity benchmarks. This episode underscores the hidden costs of rapid technological adoption and the urgent necessity of prioritizing foundational security over the convenience of connected features as the country accelerates its ambitious transition toward a fully electrified transport network.
KEY TAKEAWAYS
The government has specifically ordered the removal of BAT-BMS, Losiji, and Epoch Li-ion apps from major digital app stores.
Modern passenger vehicles utilize robust encryption that prevents unauthorized remote access, unlike the budget battery packs used in most e-rickshaws.