When a click stops a commute: The e-rickshaw hack explained
Explained: The app that can stop an e-rickshaw — and why it has exposed a bigger cybersecurity risk
Viral videos of e-rickshaws stalling mid-traffic have sparked a national security alarm, exposing a dangerous digital gap in India’s electric mobility sector.
The scene has become a regular, if infuriating, spectacle on Indian roads: an e-rickshaw suddenly loses all power in the middle of a busy junction, leaving the driver stranded and his passengers confused. While many initially blamed mechanical failure, the reality is far more digital—and deliberate. Miscreants have been using smartphone applications to exploit unsecured Bluetooth connections, effectively "switching off" these vehicles as a form of roadside prank, leaving hard-working drivers to pay for repairs to a vehicle that wasn’t actually broken.
A "Hack" or a Basic Security Lapse?
The culprit behind the chaos is a collection of battery management apps, most notably "BAT-BMS," which are designed to let owners monitor their lithium-ion batteries via Bluetooth. These apps track vital signs like voltage, temperature, and charge levels. However, experts point out that this isn't a sophisticated cyber-attack in the traditional sense. Many low-cost battery units used in e-rickshaws are shipped with "open" Bluetooth modules. Because these devices lack password protection or basic authentication, anyone within a 15-metre range can connect their phone to the vehicle’s battery and trigger a remote cut-off command.
The Ministry of Electronics and Information Technology (MeitY) has now stepped in, ordering Google and Apple to remove apps like BAT-BMS, Lossigy, and Epoch i-ion from their stores. The move follows a surge in viral videos where content creators intentionally disable passing e-rickshaws, prioritizing views over the public safety risks they create. Beyond the annoyance, these incidents cause genuine economic hardship for drivers, who often lose a day’s wages and must shell out cash to mechanics just to reset a system that was never actually faulty.
Why it matters: The bigger picture
This incident is a wake-up call for India’s rapid, yet often unregulated, shift toward electric mobility. The issue isn't merely a few rogue apps; it’s a systemic lack of "security hygiene" in the budget EV segment. When manufacturers prioritize low costs and convenience—by offering Bluetooth connectivity without basic encryption—they turn thousands of public transport vehicles into potential targets. If an unsecured battery system can be disabled by a passerby with a smartphone, it raises uncomfortable questions about the safety of our broader smart-city infrastructure.
For now, the government’s intervention serves as a necessary stop-gap, but the problem requires a permanent fix at the hardware level. Dealers must be held accountable for configuring security settings at the point of sale, and manufacturers need to move away from shipping open-access systems. As India accelerates its transition to electric vehicles, the race to innovate must be matched by a commitment to security. Without it, our roads remain vulnerable not just to traffic jams, but to digital pranks that carry very real-world consequences.
Ananya Iyer covers global affairs with an Indian lens for PoliticalPedia.