Government orders Apple and Google to remove apps that can disable e-rickshaw batteries
The Indian government has directed Apple and Google to remove at least three apps from their app stores, following reports that they were being misused to remotely switch off e-rickshaws, raising cybersecurity and passenger safety concerns.
The directive was issued on Friday after videos circulated on social media showing individuals connecting to nearby e-rickshaws via Bluetooth and disabling their battery management systems (BMS) while the vehicles were in motion. The apps in question are BAT-BMS, Lossigy, and Epoch Li-ion, at least two of which are of Chinese origin.
What is a Battery Management System?
A BMS monitors a battery's performance, aiming to eliminate variations in individual cell performance so that all cells work uniformly. It is critical in electric vehicles (EVs) using large-capacity lithium-ion batteries, extending battery life and ensuring safe operation.
Major BMS vendors include Texas Instruments, NXP Semiconductors, Analog Devices, Infineon Technologies, LG Chem, Panasonic, and Renesas Electronics. Chinese companies such as CATL and BYD are also prominent, along with smaller firms serving the unorganised sector.
The automotive segment accounts for 50% of the BMS market, driven by EV and hybrid vehicle needs. Energy storage systems hold 20%, with players like Navitas Systems and Nuvation Energy.
How the 'Hack' Works
The BAT-BMS app, originally developed by China's Shenzhen Grenergy Technology, is a legitimate tool for Bluetooth-enabled lithium-ion batteries. It allows monitoring of charge, voltage, current, temperature, and overall health, and can control charging and discharging functions. The app connects via Bluetooth Low Energy within about 15 metres.
The security concern arises from low-cost BMS used in some e-rickshaws, which lack adequate password protection or use default credentials. Anyone within Bluetooth range can pair with the battery using compatible apps like BAT-BMS and disable the discharge function, cutting power to the motor and immobilising the vehicle.
Sources say this is not a sophisticated hack but simply exploiting weak security settings. The app only works with batteries that have compatible Bluetooth-enabled BMS hardware.
Many e-rickshaws still use lead-acid batteries, but the problem primarily affects lithium-powered ones with inadequate security. The government's action aims to prevent potential accidents and ensure passenger safety.