India Bans Apps Used to Remotely Disable E-Rickshaws
Key Takeaways The Indian government has ordered Google and Apple to remove three apps—BAT-BMS, Lossigy, and Epoch-i-ion—from their app stores. These apps were allegedly misused to remotely disable...
Key Takeaways
- The Indian government has ordered Google and Apple to remove three apps—BAT-BMS, Lossigy, and Epoch-i-ion—from their app stores.
- These apps were allegedly misused to remotely disable e-rickshaws and other battery-operated three-wheelers while in motion, posing a significant safety risk to passengers.
- The apps, initially designed for legitimate fleet management, featured remote-kill switch capabilities that were exploited by unauthorized individuals.
- The incident highlights vulnerabilities in IoT-enabled remote disablement features within the rapidly expanding electric vehicle sector, particularly concerning weak authentication and access controls.
India Acts Against Apps Exploiting E-Rickshaw Remote Disablement
The Indian government has issued a directive to tech giants Google and Apple, mandating the removal of three specific mobile applications: BAT-BMS, Lossigy, and Epoch-i-ion. This decisive action comes after allegations surfaced that these apps were being maliciously employed to remotely immobilize e-rickshaws and other battery-powered three-wheelers, often while vehicles were actively transporting passengers, thereby endangering public safety.
Table Of Content
Authorities have also conveyed a clear warning: any additional applications found to possess or enable similar remote-kill functionalities will face identical enforcement measures.
This governmental intervention follows the widespread circulation of online videos. These clips depicted individuals leveraging the applications to pinpoint nearby e-rickshaws through their integrated battery management systems (BMS) and then remotely deactivating them with a simple tap, sometimes while the vehicles were in motion with occupants inside.
Originally, BAT-BMS, Lossigy, and Epoch-i-ion were developed as legitimate tools for Battery Management Systems. Their intended purpose was to offer fleet operators, financial institutions, or vehicle owners capabilities such as monitoring battery charge levels, tracking vehicle locations, and remotely immobilizing vehicles in instances of loan default or theft.
However, the inherent remote-kill switch functionality within these applications became a vector for exploitation. Unauthorized parties, including competing financiers, disgruntled individuals, or even pranksters, reportedly misused this feature to disable e-rickshaws belonging to other operators, irrespective of legitimate ownership or consent.
Design Flaws Enable Remote Interference
Unlike conventional vehicle tracking applications, apps such as BAT-BMS, Lossigy, and Epoch-i-ion were designed with a persistent API or Bluetooth/cellular connection linking the e-rickshaw’s battery controller directly to the app’s backend. This architecture meant that any user possessing access credentials—which were sometimes poorly secured or shared across dealer networks—could transmit a shutdown command remotely.
This design oversight effectively transformed what was intended as a fleet-management convenience into a significant safety hazard. The systems reportedly lacked robust authentication controls, mechanisms to verify driver consent, or geofencing limitations that could have prevented unauthorized third-party interference.
Cybersecurity experts have consistently highlighted that IoT-enabled kill switches, particularly in budget-friendly electric vehicles, are prone to vulnerabilities. Manufacturers frequently prioritize cost-effectiveness and basic functionality over strong access control measures, making credential compromise or insider misuse straightforward attack vectors.
While the specific enforcement mechanisms for this particular case have not been extensively detailed in public reports, India possesses a clear legal framework for such actions. The Ministry of Electronics and Information Technology has previously invoked Section 69A of the Information Technology Act to block applications deemed detrimental to public safety and order. A notable precedent includes the 2020 ban of 59 apps, citing national security concerns.
This established legal framework, combined with direct instructions to app stores, appears to underpin the current action against BAT-BMS, Lossigy, and Epoch-i-ion. This pattern mirrors recent incidents, such as when Maharashtra Cyber ordered the removal of unauthorized bike-taxi apps due to passenger safety violations.
This incident underscores a growing concern regarding IoT-enabled remote disablement features integrated into affordable electric vehicles within India’s burgeoning e-rickshaw and last-mile mobility sectors. As BMS vendors compete to integrate remote-lock and anti-theft functionalities in a cost-sensitive market, inadequate authentication and poor access segregation can inadvertently transform intended safety features into exploitable attack surfaces.
What You Should Do
- Implement Multi-Factor Authentication (MFA): For any application command capable of remotely disabling a moving vehicle, enforce MFA to prevent unauthorized access.
- Utilize Geofencing and Speed-Based Lockouts: Configure systems to prevent shutdown commands from being issued while a vehicle is actively in transit or within designated safe zones.
- Maintain Comprehensive Audit Logs: Keep detailed records of every remote command issued, ensuring each entry is traceable to a verified device and user.
- Conduct Independent Security Audits: Prior to public release, engage third-party security experts to conduct thorough audits of BMS backend APIs and associated applications.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.