Chinese EV Apps Crackdown: Government Orders Removal of BAT-BMS, Lossigy and Epoch-i-ion After Remote E-Rickshaw Shutdown Reports

Published on: 03-07-2026

NEW DELHI – In a major move to protect urban transport infrastructure and data integrity, the Government of India has initiated a swift Chinese App Crackdown on EVs. The Ministry of Electronics and Information Technology (MeitY) has issued emergency blocking orders for three smartphone applications: BAT-BMS, Lossigy, and Epoch-i-ion (Epoch Li-ion). The high-level directive requires both the Google Play Store and Apple App Store to immediately pull down these applications from their Indian marketplaces. This aggressive regulatory intervention follows a wave of alarming social media videos exposing how unauthorized individuals were using these mobile tools to remotely cut off power to battery-operated e-rickshaws and light commercial electric vehicles (EVs) navigating busy metropolitan roads.

Addressing the media during a specialized cybersecurity summit organized by the Confederation of Indian Industry (CII), Union IT Secretary S. Krishnan confirmed the swift executive action. He stated that the ministry flagged the malicious exploitation within 24 hours of local reports and moved to block public access to the software. Highlighting systemic gaps in mobile digital distribution, the IT Secretary remarked that prominent application store operators must enforce rigorous “due diligence” parameters before hosting diagnostic utilities that interact directly with physical automotive hardware. Moving forward, the center plans to establish strict pre-compliance rules to prevent unverified vehicular control apps from entering the domestic consumer ecosystem.

The Trigger: Viral Exploits and Ground-Level Extortion

The regulatory intervention was catalyzed by a viral trend across digital platforms like Instagram Reels, YouTube Shorts, and X (formerly Twitter). Amateurs and pranksters were filmed approaching active commercial e-rickshaws in high-traffic zones of Delhi-NCR, Mumbai, and parts of Uttar Pradesh. By tapping a simple toggle on their smartphones, these individuals could instantly kill the powertrain of an adjacent EV. The targeted vehicles would grind to a sudden halt amidst moving traffic, leaving drivers confused and stranded.

While initially broadcasted as lighthearted social media pranks, the phenomenon rapidly devolved into an infrastructure security hazard. Ground reports from transit hubs in Noida and West Delhi revealed that bad actors began using these apps for micro-extortion—disabling low-income drivers’ vehicles in crowded intersections and demanding cash payments ranging from ₹100 to ₹200 to restore battery connectivity. Recognizing the immediate risk of multi-vehicle pileups and the economic victimization of gig-economy motorists, cyber units and transport authorities urged the union government to step in under national safety protocols.

Technical Anatomy: How the Remote ‘Kill Switch’ Was Exploited

Illustration explaining Battery Management System inside an electric vehicle battery

The underlying vulnerability behind this disruption does not stem from a sophisticated server-side cyberattack, but rather from a massive structural loophole found in cheap, unbranded Lithium-Ion battery packs imported into India. The flagship target of this crackdown, the BAT-BMS application, was originally engineered by Shenzhen Grenergy Technology Co., Ltd. in China. The app was built as a legitimate utility meant for commercial mechanics to monitor battery health metrics, including cellular voltage, operational temperatures, and charge cycles.

The exploit relies on Bluetooth Low Energy (BLE) protocols, which maintain an effective wireless transmission radius of roughly 10 to 15 meters. To cut manufacturing costs, several low-tier Chinese electronics suppliers configured their Battery Management Systems (BMS) with Bluetooth modules that remain permanently active without any cryptographic authentication or custom password layers. Consequently, any smartphone running BAT-BMS or Lossigy within a 15-meter perimeter could instantly pair with the vehicle’s battery pack without the driver’s consent. Once connected, users could manipulate the app’s integrated ‘Discharge Switch’ parameter. Activating this toggle cuts the internal circuit breaker, instantly severing the electricity supply from the battery cells to the vehicle’s electric motor. The vehicle remains completely immobilized until the exact same app layout issues a digital reconnect command.

Operational Implications for India’s Last-Mile Mobility Network

E-rickshaws serve as the absolute backbone of last-mile transit connectivity across Tier-1 and Tier-2 Indian cities, acting as a crucial feeder network for regional metro systems and bus terminals. The vast majority of operators are independent daily-wage earners who secure these vehicles via high-interest microloans or daily rental agreements.

The unpredictable app-driven shutdowns injected a widespread sense of anxiety into this informal transport sector. Hundreds of drivers reported spending money at local repair shops trying to diagnose what they assumed were intermittent physical wiring faults or defective motors. While the software ban will drastically reduce the accessibility of these tools for everyday pranksters, automotive engineers stress that software blocking is a temporary patch. The ultimate resolution requires physical security updates across the hardware manufacturing chain to prevent unencrypted wireless discovery.

Mitigation: How EV Drivers and Fleet Owners Can Secure Vehicles

Until the restricted apps are entirely scrubbed from independent internet archives, operators can shield their assets by following specific diagnostic and hardware steps outlined by automotive cybersecurity experts:

  1. Immunity of Conventional Lead-Acid Systems: Fleet operators utilizing older, heavy Lead-Acid battery configurations are completely unaffected by this vulnerability. These classic battery configurations do not contain microcontrollers or wireless chipsets, making them physically impossible to manipulate via smartphone signals.
  2. Mandatory Configuration of Custom Passwords: For owners using modern Lithium-Ion modules equipped with Bluetooth functionality, it is vital to open the official vendor diagnostic app immediately. Users must navigate directly to ‘Parameter Settings’ and overwrite the manufacturer’s default factory password (often set generically to 000000 or 123456) with a unique security PIN.
  3. Physical Disconnection of BLE Antennas: If real-time mobile app tracking is not required for daily fleet operations, owners can instruct a qualified EV technician to physically desolder or disconnect the internal Bluetooth antenna trace from the BMS board. This permanently isolates the vehicle from external wireless intrusion while keeping core battery operations intact.

What Has Been Reported So Far?

According to reports that prompted the government’s action, some individuals allegedly used certain applications to connect with compatible battery systems in nearby e-rickshaws. Investigators are examining whether the applications could send commands that temporarily interrupted battery output or disabled battery discharge on compatible systems.

It is important to note that authorities have not stated that every electric vehicle, every battery brand or every Battery Management System was vulnerable. Likewise, there has been no official confirmation that all reported incidents occurred in the same technical manner. The investigation is focused on specific combinations of battery hardware and software that may have lacked adequate access controls.

This distinction is important because the majority of electric vehicles use different battery systems, different communication protocols and different security mechanisms.

Remote Shutdown: What Does It Mean?

Smartphone communicating with an EV battery using Bluetooth

One of the terms frequently used in reports is “remote shutdown.” In practical terms, this does not necessarily mean that someone sitting hundreds of kilometres away could stop any vehicle at will. The reports under investigation primarily relate to nearby wireless communication through Bluetooth. Bluetooth operates only within a limited range, usually a few metres to a few dozen metres depending on the device and surrounding conditions.

Authorities have not announced evidence of nationwide remote control over internet-connected vehicles.Instead, the concern is that a person standing close enough to a compatible vehicle may have been able to establish an unauthorised Bluetooth connection if proper authentication was absent. Cybersecurity experts say this is a very different scenario from hacking vehicles over the internet.

Why Authentication Matters

Every connected electronic device requires proper authentication. Before any smartphone is allowed to control a battery system, the software should verify that the user is authorised. This is normally achieved through secure pairing, passwords, encryption, digital certificates or manufacturer-issued credentials.

If these safeguards are missing or poorly implemented, unauthorised users may attempt to connect to compatible devices. Strong authentication significantly reduces this risk and is considered one of the most important security features for connected vehicles. Industry experts say manufacturers should also regularly release firmware updates to fix newly discovered vulnerabilities.

Cybersecurity Risks in Connected Vehicles

Digital cybersecurity shield protecting a connected electric vehicle

The incident has highlighted a broader issue facing the global automobile industry. Today’s electric vehicles are increasingly software-driven. Many modern EVs include wireless communication, cloud services, GPS, mobile applications and over-the-air software updates. These features improve convenience, diagnostics and maintenance, but they also expand the number of potential entry points that cybercriminals may attempt to exploit.

International automotive cybersecurity standards therefore recommend a “security-by-design” approach, where cybersecurity protections are integrated during product development rather than added later. Experts say manufacturers should perform regular penetration testing, software audits and vulnerability assessments before releasing connected products to the market.

Impact on Drivers

For thousands of e-rickshaw drivers across India, the reports have raised understandable concerns. Many drivers rely entirely on their electric vehicles for daily income. Even a temporary interruption during operating hours can result in lost earnings, inconvenience to passengers and delays in local transport services.

Industry representatives have advised drivers not to download unofficial battery applications and to use only software recommended by the battery or vehicle manufacturer. Drivers are also encouraged to keep battery firmware updated whenever official updates become available through authorised service centres.

Government Focus Expands Beyond One Incident

Officials have indicated that the current investigation is not limited to the three identified applications. Authorities are expected to examine whether similar software exists on other platforms and whether additional safeguards are needed for connected mobility products sold in India.

The case may also encourage regulators to introduce stronger cybersecurity expectations for battery manufacturers, software developers and connected vehicle suppliers. As India’s electric vehicle market continues to grow, cybersecurity is increasingly being viewed as an important component of road safety, consumer protection and critical digital infrastructure.

Industry Begins Reviewing Security Practices

Several battery manufacturers and EV companies are understood to be reviewing their Bluetooth security architecture and application permissions following the government’s action. Although no nationwide technical advisory has yet required changes across all electric vehicles, cybersecurity professionals believe the incident will accelerate discussions on stronger authentication, encrypted communications and secure software development for connected battery systems.

Manufacturers are also expected to place greater emphasis on software testing before launching future connected products.

Investigation Still Underway

Government agencies have not released a final technical investigation report. At this stage, authorities have confirmed action against the identified applications and continue to examine how compatible battery systems may have been affected.

No official findings have concluded that all EVs were vulnerable, that a large-scale cyberattack occurred or that any foreign government directed the reported incidents. Until the investigation is completed, the focus remains on verified evidence, strengthening cybersecurity standards and protecting public safety in India’s rapidly growing electric mobility sector.

Impact on India’s Fast-Growing EV Industry

India is one of the world’s fastest-growing electric vehicle markets. Government incentives under schemes such as FAME, state EV policies and increasing fuel costs have encouraged the adoption of electric two-wheelers, three-wheelers and commercial EVs. Among these, battery-operated e-rickshaws have become the backbone of last-mile connectivity in many cities and towns. They provide affordable transport for millions of passengers while supporting the livelihoods of a large number of drivers.

The reported misuse of battery management applications has therefore raised concerns beyond cybersecurity. Industry observers believe consumer confidence in connected electric vehicles depends not only on battery performance and charging infrastructure but also on the security of the software that controls these systems. Experts say that incidents involving connected devices often become an opportunity for manufacturers to improve security standards rather than a reason to lose confidence in the technology itself. Modern electric vehicles already include multiple electronic safety systems, and stronger cybersecurity measures can further improve their reliability.

What Could Change After the Investigation?

Although the government has not yet announced a comprehensive regulatory framework specifically for Battery Management System applications, the current investigation is expected to encourage greater attention to cybersecurity throughout the EV supply chain. Industry specialists believe manufacturers may increasingly adopt measures such as stronger Bluetooth authentication, encrypted communication between smartphones and battery systems, digitally signed firmware updates, stricter access controls, regular software security testing and faster security updates whenever vulnerabilities are identified.

Battery manufacturers may also provide clearer guidance to consumers about downloading only official applications and keeping firmware updated through authorised service centres.

Legal Framework in India

The reported action against the applications is taking place within India’s existing legal and regulatory framework governing digital platforms and cybersecurity.The reported action against the applications is taking place within India’s existing legal and regulatory framework governing digital platforms and cybersecurity.

Industry Response

Cybersecurity professionals have welcomed increased attention to connected vehicle security while also cautioning against unnecessary alarm. Several experts have emphasised that Battery Management System applications are widely used across the global electric vehicle industry for legitimate purposes such as battery monitoring, diagnostics and maintenance.

The concern in the present case is not the existence of such applications but whether adequate security controls were implemented to prevent unauthorised access. Industry bodies have also encouraged manufacturers to strengthen product security during the design stage rather than relying solely on updates after products reach the market.

Advice for EV Owners

Cybersecurity specialists recommend that EV owners follow a few basic digital safety practices. Download battery management applications only from official sources recommended by the vehicle or battery manufacturer. Keep both the application and the battery firmware updated whenever official updates are released. Avoid installing unofficial or modified software. If unusual battery behaviour is noticed, contact an authorised service centre instead of attempting unofficial repairs.

These general precautions apply to connected electronic devices across many industries and are considered good cybersecurity practices.

Conclusion

The government’s decision to remove BAT-BMS, Lossigy and Epoch-i-ion marks an important development in India’s approach to cybersecurity within the electric mobility sector. Based on verified information currently available, authorities acted after reports that the applications were allegedly being misused to interfere with the operation of certain compatible battery systems used in battery-operated vehicles.

The investigation is still ongoing. No official report has concluded that every electric vehicle was affected, that all Battery Management Systems were vulnerable or that a nationwide cyberattack occurred. Nevertheless, the incident has highlighted an important lesson for India’s rapidly expanding EV ecosystem: software security is now an essential part of vehicle safety. As connected vehicles become more common, cybersecurity will increasingly influence consumer trust, public safety and the long-term growth of India’s electric mobility sector.

Frequently Asked Questions (FAQs)

Why did the Indian government order the removal of BAT-BMS, Lossigy and Epoch-i-ion?

The government acted after reports that these applications were allegedly being misused to remotely interfere with compatible battery-operated e-rickshaws. Authorities considered the matter important because of its potential impact on public safety and cybersecurity. The investigation is still continuing.

Are all electric vehicles affected?

No. There is no official confirmation that all electric vehicles or all Battery Management Systems are vulnerable. The investigation relates to specific applications and reportedly compatible battery systems.

Which specific mobile applications have been banned by the Indian government?

The Ministry of Electronics and Information Technology (MeitY) has specifically targeted three Chinese-origin battery monitoring utilities: BAT-BMS, Lossigy, and Epoch-i-ion. These platforms are being purged from all legal app marketplaces operational within India.

Can these banned applications disable every electric vehicle on Indian roads?

No. These tools cannot interfere with mainstream passenger electric cars or high-end electric two-wheelers built by established manufacturers. They exclusively impact low-cost e-rickshaws, customized e-bikes, and small commercial transport vehicles utilizing unbranded, imported Chinese battery packs configured with unsecured Bluetooth modules.

Does this incident qualify as a state-sponsored foreign cyberattack against India?

There is currently no administrative or intelligence data suggesting that this was a coordinated cyber warfare campaign orchestrated by a foreign government. The disruption was driven by localized misuse of public diagnostic tools for social media pranks and low-level financial extortion. However, the systemic vulnerability itself is treated as a major national security loophole.

How does the IT Act 2021 handle apps that cause physical public safety hazards?

Under the IT Rules 2021, the union government is empowered to issue rapid, non-discretionary blocking orders to internet intermediaries if a piece of software or digital media directly compromises public safety, threatens municipal order, or exposes critical transport systems to malicious manipulation.

What should an e-rickshaw owner do if their vehicle keeps shutting down mysteriously?

The owner should immediately visit an authorized battery service center to verify if their lithium battery uses a wireless BMS. If a Bluetooth signal is detected, the technician must configure a custom access password or physically isolate the wireless receiver chip to block unauthorized pairings.

What is a Battery Management System (BMS)?

A Battery Management System is an electronic controller that monitors and protects a lithium-ion battery. It checks battery voltage, temperature, charging, discharging and overall battery health to ensure safe operation.

Can any smartphone stop an electric vehicle?

There is no official evidence that any smartphone can stop any electric vehicle. Authorities are examining reports involving particular applications and compatible battery systems.

Aawaaz Uthao: We are committed to exposing grievances against state and central governments, autonomous bodies, and private entities alike. We share stories of injustice, highlight whistleblower accounts, and provide vital insights through Right to Information (RTI) discoveries. We also strive to connect citizens with legal resources and support, making sure no voice goes unheard.

Follow Us On Social Media

Get Latest Update On Social Media