Viral chaos as battery management apps turn smartphones into ‘kill switch’ for e-rickshaws

Viral videos showed a number of people filming themselves approaching e-rickshaws and switching them off mid-journey using a mobile app.

HT downloaded Lossigy from the Google Play Store, located a nearby e-rickshaw, and disabled it with a single tap. (ANI/Representative)

A prank that surfaced in a handful of viral videos this week has spread rapidly across Indian social media, with a growing number of people filming themselves approaching e-rickshaws and switching them off mid-journey using a smartphone app — stranding people in traffic and racking up millions of views on Instagram, YouTube, Reddit and X.

The apps involved, BAT-BMS and Lossigy, exploit a gap common to unsecured lithium-ion battery packs sold in India: Battery Management Systems that connect over Bluetooth with no password protection, turning any nearby smartphone into a kill switch of sorts.

In a test conducted with a driver’s permission, HT downloaded Lossigy from the Google Play Store, located a nearby e-rickshaw, and disabled it with a single tap — a switch that could only be reversed through the app itself, not the vehicle’s own key.

Drivers said the vulnerability has been exploited on-and-off for months but the problem has surged in recent days, coinciding with the surge in viral reels.

Experts say the episode is a stark reminder of how budget equipment can turn into a larger technological threat.

Sunil Kumar, who ferries students near Jamia Millia Islamia, said his e-rickshaw jerked to a stop a few metres from a metro station for the first time roughly six months ago, mid-route with passengers aboard. He initially assumed the battery had run flat; his passengers paid him half fare. It was only when he took the battery in to recharge that he learned it had never actually discharged.

People flag concerns

Charu Rajak, who drives in Okhla, said the same issue has hit his vehicle for five months — but on Thursday, it had surged to over a dozen times in a single day. “I worry that someone will crash into my vehicle from behind mid-traffic,” he said.

Rajak owns his vehicle, has a smartphone and — after his dealer told him about a workaround app — now knows how to restart it remotely when it happens. He said many drivers rent their e-rickshaws for ₹450 a day and have neither a phone nor the knowledge to get moving again when they’re targeted.

Balvinder Singh Sahni, a Uttar Pradesh-based manufacturer with more than 15,000 e-rickshaws operating in Delhi, said the battery systems were never built with passwords because no one anticipated the lack of security would cause disruption at this scale. “They were designed to be accessed by service engineers for maintenance and diagnostics, which is why password protection was not built in,” he said.

The problem, however, seemed to not be universal. E-rickshaws still running on older lead-acid batteries, which have no Bluetooth capability, are unaffected, and even some lithium-powered vehicles use proprietary battery management software that is incompatible with third-party apps such as BAT-BMS and Lossigy — meaning the vulnerability depends heavily on which battery pack and BMS chipset a given vehicle happens to run.

Delhi transport minister Pankaj Singh said his department has been directed to verify the apps and examine the claims. “I am yet to get written complaint but people flagged me this issue in my office. So I have asked to get the correct information on the issue,” he said.

Govt looking into matter

A person aware of the matter said the Union ministry of electronics and IT (Meity) is looking into the matter. The ministry did not respond to a request for comment.

A senior Delhi government official, who asked not to be named, said the apps allow real-time monitoring of battery status — voltage, temperature, current — a legitimate function now “being used mischievously.” The official said many e-rickshaws use Chinese-manufactured battery systems with minimal security, comparable to open Bluetooth settings, making it easy to connect without authentication and cut power.

BAT-BMS, developed by Shenzhen Grenergy Technology Co., appears to have been removed from Apple’s App Store, though it remained available on Google Play at the time of going to print.

A second person aware of the matter said Apple had not pulled the app itself, and that its removal may have followed a wave of user reports.

Grenergy did not respond to HT emails seeking comment. Lossigy remains available on both app stores. Its developer is listed as Shenzhen Ruicheng Technology Co., Ltd, a name HT could not independently verify against Chinese company registries; searches under this and an alternate rendering of the name returned no matching business record.

Cybersecurity experts said the episode reflects a broader failure to secure connected consumer hardware entering India.

“Connectivity features can be exploited if authentication is not implemented correctly,” said Sandeep K. Shukla, director of the International Institute of Information Technology, Hyderabad. “Legal and regulatory vacuum and a lack of guardrails vis-à-vis cybersecurity and consumer protection is a problem,” he said, adding: “It’s not only a Chinese import problem. Any consumer device coming into the country, if not regulated for security, could have such issues.”

Source : https://www.hindustantimes.com/lifestyle/health/chennai-fitness-coach-with-18-years-of-experience-shares-how-to-manage-hunger-while-on-a-calorie-deficit-for-weight-loss-101782994665488.html

Exit mobile version