BAT-BMS app ban: How Chinese apps remotely kill e-rickshaws in India
Synopsis
Key Takeaways
The Ministry of Electronics and Information Technology (MeitY) has directed both Google Play Store and Apple App Store to remove three mobile applications — BAT-BMS, Lossigy, and Epoch i-ion — after videos circulating on social media allegedly showed individuals remotely disabling moving e-rickshaws using their smartphones. The development has triggered serious concerns over cybersecurity vulnerabilities in India's growing electric three-wheeler ecosystem.
How the Remote Kill Works
At the centre of the controversy is BAT-BMS, an application developed by China's Shenzhen Grenergy Technology for Bluetooth-enabled lithium-ion batteries. The app is designed to let battery owners monitor parameters such as voltage, current, temperature, charging cycles, and overall battery health in real time. It also allows users to toggle the battery's discharge function on or off — a feature intended for maintenance, but one that can be weaponised.
In many Indian e-rickshaws, lithium-ion batteries come equipped with Bluetooth-enabled Battery Management Systems (BMS) that are either installed without password protection or continue to run on factory-default credentials. Anyone within Bluetooth range — roughly 10 to 20 metres — can connect to such a battery using BAT-BMS or similar apps. Once connected, switching off the discharge function instantly cuts power to the vehicle. Because the battery itself is disabled, the driver cannot restart the e-rickshaw with the ignition key; power is restored only after reconnecting through the app and re-enabling the discharge function.
Drivers Caught Off Guard
An e-rickshaw driver said the problem first surfaced only a few days ago when his vehicle suddenly stopped mid-route. 'Initially, we thought there was a fault in the vehicle and took it to a mechanic. After checking it, he told us there was no mechanical problem. He said someone had switched off the battery using software,' the driver said. The mechanic reportedly charged around ₹300 to reconnect the battery through a mobile application and restore power.
The driver added that the disruption recurred while he was carrying passengers. 'Someone switched it off again while I was on the road. We don't know who is doing it. If the battery gets locked, it can only be unlocked through the same app. We are drivers, not technology experts, so we don't know how to deal with such issues,' he said.
Which Vehicles Are Vulnerable
The vulnerability is not universal. It applies only to e-rickshaws that meet two specific conditions: they use Bluetooth-enabled lithium-ion batteries, and their battery management system lacks password protection or proper authentication. Vehicles running on conventional lead-acid batteries — still common across much of India — do not have Bluetooth-enabled BMS and are therefore unaffected.
Likewise, newer lithium-ion systems that employ strong passwords, encryption, or proprietary software cannot be accessed through generic battery management applications. Passenger cars and most branded electric vehicles incorporate multiple layers of cybersecurity and encrypted BMS communication, making unauthorised access significantly more difficult.
Government Response and What Comes Next
MeitY's directive to pull the apps from both major app stores marks the government's first concrete regulatory action on this specific threat vector. The ministry is also examining broader cybersecurity implications of Bluetooth-enabled BMS deployments across India's electric vehicle sector. Notably, this episode surfaces a structural gap: hardware-level security standards for EV batteries in the affordable segment have not kept pace with the rapid adoption of lithium-ion technology in last-mile transport. Experts and industry observers are likely to push for mandatory password protection and authentication norms for all BMS units sold in India going forward.