The Indian government has instructed Google and Apple to remove three mobile applications—BAT-BMS, Lossigy, and Epoch-i-ion—from their platforms. These apps were reportedly exploited to remotely disable e-rickshaws and other battery-operated three-wheelers during operation, posing significant safety risks to passengers.
Authorities have also cautioned that any additional applications found facilitating similar remote shutdown capabilities will face similar actions.
This directive follows the circulation of viral videos demonstrating individuals using these apps to locate nearby e-rickshaws via connected battery management systems and deactivating them remotely, sometimes while the vehicles were in motion with passengers on board.
Originally, these applications were developed as legitimate Battery Management System (BMS) tools. They allowed fleet operators, financiers, or vehicle owners to monitor battery charge levels, track vehicle locations, and remotely immobilize vehicles in cases of loan default or theft.
The misuse occurred when unauthorized individuals, including rival financiers, disgruntled parties, or pranksters, exploited the remote-kill switch feature to disable e-rickshaws belonging to other operators, regardless of legitimate ownership or consent.
Unlike standard vehicle-tracking apps, BAT-BMS, Lossigy, and Epoch-i-ion reportedly maintained a continuous API or Bluetooth/cellular connection between the e-rickshaw’s battery controller and the app’s backend. This design flaw meant that any user with access credentials—sometimes weakly protected or shared across dealer networks—could send a shutdown command remotely.
This vulnerability effectively transformed a fleet-management convenience feature into a safety hazard, as it lacked adequate authentication controls, driver consent verification, or geofencing restrictions to prevent third-party interference.
Security researchers have long highlighted that IoT-enabled kill switches in low-cost electric vehicles are particularly susceptible to such exploits. Manufacturers often prioritize cost and functionality over robust access control, leaving credential leakage or insider misuse as potential attack vectors.
While specific enforcement details for this case remain limited in public disclosures, India has a precedent for such interventions. The Ministry of Electronics and Information Technology has previously invoked Section 69A of the Information Technology Act to block applications deemed prejudicial to public safety and order, as seen in the 2020 ban of 59 apps citing security concerns.
This same legal framework, combined with directives issued to app stores, appears to underpin the current action against BAT-BMS, Lossigy, and Epoch-i-ion. Similar patterns have been observed when state or central cyber units formally notify Google and Apple to remove non-compliant or unsafe apps from their platforms, as demonstrated when Maharashtra Cyber ordered the removal of unauthorized bike-taxi apps over passenger safety violations.
This incident underscores a growing concern around IoT-enabled remote disablement features embedded in affordable electric vehicles across India’s booming e-rickshaw and last-mile mobility sector. As BMS vendors race to add remote-lock and anti-theft features to compete in a price-sensitive market, weak authentication and poor access segregation can transform safety features into attack surfaces.
To mitigate such risks, it is imperative for manufacturers and app developers to implement robust security measures, including strong authentication protocols, user consent mechanisms, and stringent access controls. Additionally, regulatory bodies should establish clear guidelines and standards for the development and deployment of IoT-enabled features in vehicles to ensure passenger safety and prevent unauthorized misuse.