BAT-BMS app ban: How Chinese apps remotely kill e-rickshaws in India

Share:
Audio Loading voice…
BAT-BMS app ban: How Chinese apps remotely kill e-rickshaws in India

Synopsis

Videos of e-rickshaws being remotely killed mid-road by a smartphone app have forced MeitY to ban three battery management applications, including the Chinese-origin BAT-BMS. The exploit is deceptively simple — unprotected Bluetooth BMS units, factory-default passwords, and a freely available app are all it takes to strand a driver and passengers on a busy road.

Key Takeaways

MeitY has directed Google Play Store and Apple App Store to remove BAT-BMS , Lossigy , and Epoch i-ion apps.
BAT-BMS was developed by China's Shenzhen Grenergy Technology for Bluetooth-enabled lithium-ion batteries.
Anyone within 10–20 metres can connect to an unprotected BMS and remotely cut power to an e-rickshaw.
Vulnerability affects only e-rickshaws with Bluetooth-enabled lithium-ion batteries lacking password protection; lead-acid battery vehicles are unaffected.
An affected driver reportedly paid ₹300 to a mechanic to restore power via the app after being stranded.
MeitY is examining broader cybersecurity implications for India's electric vehicle sector.

The Ministry of Electronics and Information Technology (MeitY) has directed both Google Play Store and Apple App Store to remove three mobile applications — BAT-BMS, Lossigy, and Epoch i-ion — after videos circulating on social media allegedly showed individuals remotely disabling moving e-rickshaws using their smartphones. The development has triggered serious concerns over cybersecurity vulnerabilities in India's growing electric three-wheeler ecosystem.

How the Remote Kill Works

At the centre of the controversy is BAT-BMS, an application developed by China's Shenzhen Grenergy Technology for Bluetooth-enabled lithium-ion batteries. The app is designed to let battery owners monitor parameters such as voltage, current, temperature, charging cycles, and overall battery health in real time. It also allows users to toggle the battery's discharge function on or off — a feature intended for maintenance, but one that can be weaponised.

In many Indian e-rickshaws, lithium-ion batteries come equipped with Bluetooth-enabled Battery Management Systems (BMS) that are either installed without password protection or continue to run on factory-default credentials. Anyone within Bluetooth range — roughly 10 to 20 metres — can connect to such a battery using BAT-BMS or similar apps. Once connected, switching off the discharge function instantly cuts power to the vehicle. Because the battery itself is disabled, the driver cannot restart the e-rickshaw with the ignition key; power is restored only after reconnecting through the app and re-enabling the discharge function.

Drivers Caught Off Guard

An e-rickshaw driver said the problem first surfaced only a few days ago when his vehicle suddenly stopped mid-route. 'Initially, we thought there was a fault in the vehicle and took it to a mechanic. After checking it, he told us there was no mechanical problem. He said someone had switched off the battery using software,' the driver said. The mechanic reportedly charged around ₹300 to reconnect the battery through a mobile application and restore power.

The driver added that the disruption recurred while he was carrying passengers. 'Someone switched it off again while I was on the road. We don't know who is doing it. If the battery gets locked, it can only be unlocked through the same app. We are drivers, not technology experts, so we don't know how to deal with such issues,' he said.

Which Vehicles Are Vulnerable

The vulnerability is not universal. It applies only to e-rickshaws that meet two specific conditions: they use Bluetooth-enabled lithium-ion batteries, and their battery management system lacks password protection or proper authentication. Vehicles running on conventional lead-acid batteries — still common across much of India — do not have Bluetooth-enabled BMS and are therefore unaffected.

Likewise, newer lithium-ion systems that employ strong passwords, encryption, or proprietary software cannot be accessed through generic battery management applications. Passenger cars and most branded electric vehicles incorporate multiple layers of cybersecurity and encrypted BMS communication, making unauthorised access significantly more difficult.

Government Response and What Comes Next

MeitY's directive to pull the apps from both major app stores marks the government's first concrete regulatory action on this specific threat vector. The ministry is also examining broader cybersecurity implications of Bluetooth-enabled BMS deployments across India's electric vehicle sector. Notably, this episode surfaces a structural gap: hardware-level security standards for EV batteries in the affordable segment have not kept pace with the rapid adoption of lithium-ion technology in last-mile transport. Experts and industry observers are likely to push for mandatory password protection and authentication norms for all BMS units sold in India going forward.

Point of View

Not the disease: the hardware vulnerability remains in every unpatched battery already on the road. The real question is whether MeitY's scrutiny will extend to mandating minimum BMS security standards for the affordable EV segment, where margins are thin and corners are routinely cut.
NationPress
3 Jul 2026

Frequently Asked Questions

What is the BAT-BMS app and why was it banned in India?
BAT-BMS is a mobile application developed by China's Shenzhen Grenergy Technology that allows users to monitor and control Bluetooth-enabled lithium-ion batteries. It was banned after videos allegedly showed individuals using it to remotely cut power to moving e-rickshaws, prompting MeitY to direct its removal from Google Play Store and Apple App Store.
How can an app remotely disable a moving e-rickshaw?
Many Indian e-rickshaws use Bluetooth-enabled Battery Management Systems (BMS) that lack password protection or run on factory-default credentials. Anyone within 10–20 metres can connect to such a battery via an app like BAT-BMS and switch off the discharge function, instantly cutting power to the vehicle. The driver cannot restart it without reconnecting through the app.
Which e-rickshaws are vulnerable to this threat?
Only e-rickshaws with Bluetooth-enabled lithium-ion batteries that lack password protection or proper authentication are at risk. Vehicles using conventional lead-acid batteries are unaffected, as are newer lithium-ion systems with strong passwords, encryption, or proprietary software.
Which other apps were banned alongside BAT-BMS?
MeitY directed the removal of three apps in total: BAT-BMS, Lossigy, and Epoch i-ion. All three are battery management applications compatible with Bluetooth-enabled lithium-ion BMS units used in e-rickshaws.
What can e-rickshaw drivers do to protect themselves?
Drivers and fleet owners should ensure their battery management systems are configured with strong, non-default passwords and updated firmware. Vehicles with proprietary or encrypted BMS software are not accessible through generic apps like BAT-BMS. Consulting the battery manufacturer for a security patch or password update is the immediate recommended step.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 1 week ago
  2. 2 weeks ago
  3. 6 months ago
  4. 8 months ago
  5. 8 months ago
  6. 1 year ago
  7. 1 year ago
  8. 1 year ago
Google Prefer NP
On Google