India's Ministry of Electronics and Information Technology (MeitY) has ordered the removal of three smartphone apps, BAT-BMS, Epoch-i-ion, and Lossigy, from the Google Play Store and Apple App Store after videos and social media posts showed e-rickshaws being remotely shut down through Bluetooth-enabled battery management systems. The order came after the government flagged the apps as security risks that could be misused to disable the vehicles without the driver's knowledge.
IT Secretary S Krishnan confirmed the action at a Confederation of Indian Industry cybersecurity summit on July 3, 2026. "There are a couple of apps which came to our notice yesterday, and both of them have been taken down from the app stores," he said. Krishnan added that the government plans to press app stores to carry out stronger due diligence before allowing potentially harmful applications to remain live. MeitY sources said the matter is still under investigation and under active monitoring.
Despite the directive, at least some of the apps were still available for download on both platforms after the announcement, suggesting enforcement remains incomplete.
How the exploit works
These apps are built to communicate with Bluetooth-enabled battery management systems, or BMS, inside lithium-ion battery packs. Legitimate users such as manufacturers and technicians rely on them to check battery health, monitor charge and discharge rates, diagnose faults, and adjust settings. The problem is that certain versions of these apps also expose a master discharge toggle, a control that can physically cut power to the battery and, by extension, to the entire vehicle.
The core vulnerability is not in the apps alone. According to a Financial Express report, a large share of aftermarket battery packs fitted to e-rickshaws have no default passwords, no authentication layer, and no access controls. That means anyone within Bluetooth range, typically 10 to 15 metres, can pair a phone to the battery using a compatible app and then access firmware-level settings, including the power cutoff. No special skill is required, and no physical contact with the vehicle is needed.
The problem is widespread in India's e-rickshaw segment because many drivers use cheaper third-party battery systems rather than the original equipment supplied by vehicle manufacturers. These aftermarket packs often prioritise low cost over security, leaving a gap that can be exploited through an ordinary smartphone.
Real losses for drivers
The impact on drivers is direct and immediate. Reporting from e-rickshaw clusters in Delhi University's North Campus, near Jamia Millia Islamia, and Sikandarpur in Gurugram found drivers at all three locations who had experienced sudden, unexplained shutdowns.
Asif, who bought his e-rickshaw about a month ago, said his vehicle stopped at a red light while he was heading to a metro station to pick up passengers. He could not restart it and lost a full day of income. Mohanlal described a similar experience: his vehicle cut out while carrying passengers and could not be restarted until bystanders helped him push it off the road. Both drivers, and others at the same locations, said the incidents cost them an entire working day with no earnings.
For daily-wage drivers who depend on every trip, a single forced shutdown is a serious financial setback. It also creates road safety risks when vehicles stop suddenly in traffic.
The episode points to a structural gap in how connected components enter India's fast-growing electric vehicle market. E-rickshaws are a major segment of urban last-mile transport, and most operate with minimal regulatory oversight on the aftermarket parts they use. Bluetooth-enabled BMS units with no access controls represent exactly the kind of cheap, unvetted hardware that can be compromised at scale with minimal effort.
MeitY's move to pull the apps addresses one part of the problem, but it does not fix the underlying hardware. Battery packs already installed on thousands of vehicles remain open to anyone with a phone and Bluetooth range. The more durable fix would require manufacturers and importers of BMS hardware to enforce default password protection and authentication, a step that has not yet been mandated. Krishnan's call for stronger app store due diligence addresses the software distribution channel but leaves the hardware vulnerability intact. What to watch: whether MeitY or the Ministry of Heavy Industries extends the investigation to BMS hardware standards, and whether Google and Apple act faster to remove the flagged apps fully.