Viral prank exposes security flaw that lets smartphones remotely switch off e-rickshaws
A prank that has gone viral across Indian social media has exposed a serious security flaw in thousands of lithium-ion-powered e-rickshaws, allowing anyone with a smartphone app to remotely switch off vehicles in the middle of the road.
Videos circulating on Instagram, YouTube, Reddit and X show people approaching moving e-rickshaws and disabling them using mobile apps such as BAT-BMS and Lossigy, leaving drivers stranded in traffic while filming the reactions for social media.
The apps exploit a weakness found in many Bluetooth-enabled Battery Management Systems (BMS) used in lithium-ion battery packs sold in India. Because many of these systems lack password protection, any nearby smartphone can connect to the battery and, in some cases, remotely shut down the vehicle.
In a test conducted with a driver’s consent, HT downloaded the Lossigy app from the Google Play Store, connected to a nearby e-rickshaw and disabled it with a single tap. The vehicle could not be restarted using its ignition key and had to be reactivated through the app.
Drivers said the vulnerability has existed for months but has become far more common in recent days as videos demonstrating the prank have gone viral.
Cybersecurity experts warned that the episode highlights the risks posed by insecure connected devices entering the market without adequate safeguards.
Drivers report growing disruptions
Sunil Kumar, who ferries students near Jamia Millia Islamia, said his e-rickshaw unexpectedly stopped in the middle of a trip about six months ago with passengers on board.
Believing the battery had run out, he accepted only half the fare. It was only later, when he took the battery for charging, that he discovered it had never actually discharged.
Charu Rajak, an e-rickshaw driver in Okhla, said his vehicle has been targeted repeatedly over the past five months. On Thursday alone, he claimed it was remotely switched off more than a dozen times.
“I worry that someone will crash into my vehicle from behind in the middle of traffic,” he said.
Rajak said he now uses a workaround app recommended by his dealer to restart the vehicle remotely. However, many drivers who rent e-rickshaws for around ₹450 a day do not own smartphones or know how to restore power if someone disconnects their vehicle.
Manufacturers acknowledge design gap
Balvinder Singh Sahni, a Uttar Pradesh-based manufacturer with more than 15,000 e-rickshaws operating in Delhi, said the battery systems were designed to allow service engineers to perform maintenance and diagnostics via Bluetooth.
“They were never built with password protection because no one anticipated that unrestricted access would be misused on this scale,” he said.
The vulnerability does not affect every e-rickshaw. Vehicles powered by older lead-acid batteries lack Bluetooth connectivity altogether, while some lithium-ion battery packs use proprietary battery management software that cannot be accessed through third-party apps such as BAT-BMS or Lossigy.
Government begins probe
Delhi Transport Minister Pankaj Singh said the department has been asked to verify the claims and examine the apps involved.
“I have not yet received a written complaint, but people have raised the issue with me. I have asked officials to gather the correct information,” he said.
A person familiar with the matter said the Union Ministry of Electronics and Information Technology (MeitY) is also looking into the issue, though the ministry did not respond to requests for comment.
A senior Delhi government official, speaking on condition of anonymity, said the apps were originally designed to monitor battery health, including voltage, temperature and current, but were now being misused to disconnect vehicles remotely.
The official added that many e-rickshaws rely on Chinese-manufactured battery systems with minimal Bluetooth security, allowing nearby users to connect without authentication.
Apps under scrutiny
BAT-BMS, developed by Shenzhen Grenergy Technology Co., appears to have been removed from Apple’s App Store but remained available on Google Play at the time of publication.
A second person familiar with the matter said Apple had not actively banned the app and that its removal may have followed multiple user reports.
The company did not respond to requests for comment.
Lossigy remains available on both Apple’s App Store and Google Play. Its developer is listed as Shenzhen Ruicheng Technology Co., Ltd., although HT could not independently verify the company’s registration in Chinese corporate records.
Experts call for stronger security standards
Cybersecurity experts said the incident reflects broader weaknesses in the regulation of connected consumer devices.
“Connectivity features can be exploited if authentication is not implemented correctly,” said Sandeep K. Shukla, director of the International Institute of Information Technology, Hyderabad.
“There is a legal and regulatory vacuum when it comes to cybersecurity and consumer protection. This is not only a Chinese import issue. Any connected consumer device entering the country without proper security standards can present similar risks,” he said.
The vulnerability has emerged in a rapidly expanding e-rickshaw market that has grown faster than regulatory oversight. Many vehicles, which typically cost around ₹1.6 lakh, operate without licence plates, while authorities in some areas have previously restricted their movement over safety concerns unrelated to cybersecurity.
Experts say the latest episode underscores the urgent need for mandatory security standards for internet-connected hardware before such vulnerabilities become even more widespread.
Comments are closed, but trackbacks and pingbacks are open.