India Bans Apps Used to Remotely Disable E-Rickshaws
The Indian government has ordered the removal of apps like BAT-BMS, Lossigy, and Epoch-i-ion from app stores. These apps were being misused to remotely halt e-rickshaws, raising significant public safety and cybersecurity concerns across India.
Key Highlights
- Government ordered removal of BAT-BMS, Lossigy, Epoch-i-ion apps.
- Apps misused to remotely disable e-rickshaws via Bluetooth.
- Unsecured battery management systems (BMS) exploited.
- Incidents caused safety risks, traffic disruptions, and financial loss.
- MeitY directed Google and Apple to delist the identified applications.
- Action aims to prevent misuse and enhance EV cybersecurity in India.
The Indian government has taken decisive action against several mobile applications, including BAT-BMS, Lossigy, and Epoch-i-ion, ordering their immediate removal from both Android and iOS app stores in India. This directive, issued by the Ministry of Electronics and Information Technology (MeitY), comes in response to widespread reports and viral social media videos demonstrating the misuse of these apps to remotely disable e-rickshaws and other battery-operated vehicles.
The apps, predominantly Chinese-developed, such as BAT-BMS by Shenzhen Grenergy Technology Co. Ltd., were originally designed for legitimate purposes: monitoring and managing Bluetooth-enabled lithium battery packs. They provide users with real-time data on battery parameters like voltage, current, temperature, and charge status. However, a critical vulnerability in many low-cost e-rickshaw battery management systems (BMS) allowed these apps to be weaponized. Many of these BMS units lacked fundamental security features like password protection or robust authentication, enabling anyone within Bluetooth range (typically 10-20 meters) to connect to a moving e-rickshaw's battery and activate a 'discharge off' function.
The consequence of this exploit was alarming: e-rickshaws would abruptly halt in the middle of roads, stranding drivers and passengers, creating significant public safety hazards, and disrupting traffic. The issue gained national attention after numerous videos went viral across Indian social media platforms, showcasing individuals demonstrating this 'prank' and the ensuing confusion and frustration among affected drivers. Some reports even indicated instances where pranksters allegedly demanded money to reactivate the disabled vehicles, escalating the issue from mischief to potential extortion and criminal activity.
MeitY Secretary S. Krishnan confirmed the government's swift action, stating that the apps came to their notice and were promptly removed from app stores. While the initial reports from some government sources and news outlets mentioned three specific apps (BAT-BMS, Lossigy, Epoch-i-ion), other credible sources, including NDTV and Mint, reported that a total of seven applications were targeted for removal, also listing SMART BMS among them. The government has also warned that any other applications found to be facilitating similar misuse will face identical action.
The government's response highlights the evolving nature of cybersecurity threats, moving beyond traditional data security and privacy concerns to include the potential for remote interference with connected devices that impact public safety and livelihoods. Officials emphasized the responsibility of app stores to exercise due diligence in vetting applications to prevent the distribution of potentially harmful software. Cyberlaw experts have noted that misusing such apps to disable vehicles could constitute a criminal offense under Sections 66 and 43 of the Information Technology Act, 2000, potentially leading to imprisonment and substantial fines.
This incident underscores the urgent need for enhanced cybersecurity standards in the manufacturing of electric vehicles and their components, particularly for Bluetooth-enabled battery management systems, to include mandatory authentication and robust security protocols. While the vulnerability primarily affected low-cost e-rickshaws with unsecured lithium battery packs, it served as a critical reminder for the broader electric vehicle ecosystem to bolster its defenses against potential exploits. The swift governmental intervention aims to restore confidence in electric mobility and protect the thousands of e-rickshaw drivers who rely on these vehicles for their daily income.
This move by the Indian government is a significant step in regulating the digital landscape concerning connected vehicles, ensuring that technology designed for efficiency is not exploited for malicious purposes that endanger public life and economic stability. It also signifies a proactive approach to cybersecurity, addressing vulnerabilities in the burgeoning electric vehicle sector in India.
Frequently Asked Questions
Which apps did the Indian government order to be removed?
The Indian government ordered the removal of several mobile applications, prominently including BAT-BMS, Lossigy, and Epoch-i-ion, from app stores. Some reports also mention SMART BMS and a total of seven apps being targeted.
Why were these apps removed?
These apps were removed because they were being misused to remotely disable e-rickshaws and other battery-operated vehicles. They exploited security vulnerabilities in unsecured Bluetooth-enabled battery management systems (BMS) in some vehicles.
What was the impact of these apps being misused?
The misuse of these apps caused e-rickshaws to stop suddenly in the middle of journeys, leading to public safety concerns, traffic disruptions, and financial losses for drivers. Viral videos on social media highlighted the seriousness of the issue.
Which government body issued the order?
The Ministry of Electronics and Information Technology (MeitY) issued the directive to Google and Apple, instructing them to delist the identified applications from their respective app stores.
Are all e-rickshaws vulnerable to this kind of attack?
No, not all e-rickshaws are vulnerable. The issue primarily affects vehicles equipped with low-cost, Bluetooth-enabled lithium battery management systems that lack proper password protection or authentication. Older e-rickshaws with lead-acid batteries or newer models with proprietary, secure battery management software are generally not affected.