Indian Government Orders Takedown of Apps Used to Remotely Disable E-Rickshaws
India's government has mandated Google and Apple to remove three apps allegedly misused to remotely disable e-rickshaws, citing passenger safety risks.

India's government has taken decisive action against three mobile applications—BAT-BMS, Lossigy, and Epoch-i-ion—ordering their removal from Google and Apple app stores. The directive stems from reports that these applications, originally designed for legitimate battery management in electric rickshaws and other battery-operated three-wheelers, were being exploited to remotely disable vehicles mid-journey. This misuse has raised significant concerns about passenger safety and has prompted authorities to warn that similar apps enabling such remote-kill functionality will face the same consequences.
The exploited apps function as Battery Management Systems (BMS), providing features like charge monitoring, location tracking, and crucially, a remote immobilization capability. This feature was intended for legitimate uses such as recovering stolen vehicles or disabling those with defaulted loans. However, unauthorized actors, including rival financiers, disgruntled individuals, or even pranksters, began exploiting this functionality to shut down e-rickshaws belonging to others, irrespective of ownership or consent. The situation was amplified by viral videos showcasing this disruptive capability.
Security researchers point to a critical design flaw: these apps often maintain an always-on API or a persistent Bluetooth/cellular connection between the vehicle's battery controller and the app's backend. This setup allows anyone with access credentials, which may be weakly protected or widely shared, to send a shutdown command remotely. The lack of robust authentication controls, verification of driver consent, or geofencing restrictions transformed a fleet management convenience into a significant safety hazard, particularly when vehicles were in motion with passengers.
This incident highlights a broader vulnerability in the rapidly growing electric vehicle sector, especially in India's e-rickshaw market. Manufacturers, often prioritizing cost-effectiveness and functionality over stringent security, embed remote-kill switches that can become easy attack vectors through credential leakage or insider misuse. The competitive pressure in this price-sensitive market can lead to safety-critical features being implemented without adequate hardening against malicious exploitation.
India's Ministry of Electronics and Information Technology has a precedent for such interventions. Under Section 69A of the Information Technology Act, the government has previously blocked applications deemed detrimental to national security, public safety, and order. This legal framework, coupled with direct instructions to app stores, appears to be the basis for the current action. This mirrors previous instances where state cyber units have formally notified Google and Apple to remove non-compliant or unsafe applications, such as the Maharashtra Cyber directive against unauthorized bike-taxi apps.
To mitigate such risks, recommendations for fleet operators include enforcing multi-factor authentication for all remote disabling commands, implementing geofencing and speed-based lockouts to prevent mid-transit shutdowns, and maintaining comprehensive audit logs of all remote commands. Furthermore, BMS vendors are urged to conduct third-party security audits of their backend APIs before public release.
The government's swift action underscores the critical need for enhanced security measures in the burgeoning electric mobility sector. As more vehicles incorporate remote control features, ensuring these are secure against misuse is paramount to maintaining public safety and trust.