The videos moved fast this week: an e-rickshaw rolling through traffic suddenly cuts dead, the driver climbing off to shove it to the roadside while passengers wait. The Free Press Journal traced the cause to a Bluetooth-enabled battery management app that can connect to certain e-rickshaws and electric scooters within roughly 10 to 15 metres and trigger their power cutoff switch, because the battery packs lack proper authentication or password protection. The government moved within a day: MeitY Secretary S Krishnan told reporters on July 3, 2026 that two apps, BAT-BMS and Epoch Li-ion, had come to the ministry's notice and both had already been pulled from the app stores. BAT-BMS itself was built by a Chinese company, Shenzhen Grenergy Technology, as an ordinary battery-monitoring companion app: the "hack" was never anything more than that same legitimate app pointed at a battery its owner never paired it to. Read only that far, and this looks like a clean story: a prank app surfaced, the government acted, the apps are gone.

It is worth slowing down on that. A takedown removes a listing from the Google Play Store and the App Store. It does not touch a single one of the batteries already sitting under India's e-rickshaw seats, unpatched and still listening for any Bluetooth device that asks to connect.

What the app actually broke

Nothing was hacked in the sense of forcing entry through a defence. The battery management systems on these low-cost e-rickshaws exposed an open Bluetooth pairing with no password, so the app, or anything built like it, could connect from about 10 to 15 metres and flip the power switch. That is the entire mechanism. No credentials to steal and no firmware to crack: just an unlocked door with a doorbell anyone in range could press.

The battery's Bluetooth link had no password to begin with.

The consequences for drivers were immediate and specific. The Tribune reported that one Delhi e-rickshaw driver, on a rented vehicle, lost roughly ₹400 to 500 in earnings after his ride was stalled mid-route by a stranger using the app, and broke down once he realised it. In another widely covered case, a driver pushed his stalled e-rickshaw more than three kilometres and still lost his entire day's earnings. Neither driver did anything wrong, and both lost a working day to someone's phone.

A ban that reaches the app store, not the road

MeitY's response, pulling BAT-BMS and Epoch Li-ion from both app stores within a day of the issue surfacing, is a genuinely fast institutional reaction. It is also a narrow one, stopping new downloads on Android and iOS while leaving untouched a copy already installed on someone's phone, a sideloaded APK, or the dozens of near-identical apps a Bluetooth developer could publish this week under a different name, because the vulnerability is in the battery's firmware, not in any single app's code.

The law already treats this conduct as a crime. Section 43 of the IT Act makes it an offence to access or secure access to a computer resource without the owner's permission, and Section 66 makes doing that act dishonestly or fraudulently punishable with up to three years in prison or a fine of up to five lakh rupees, or both. None of that helps catch a stranger who connects from a moving car, disables a rickshaw, and is gone before the driver has finished pushing it to the kerb.

The fleet the fix can't see

The deeper problem is scale, and it predates this week's viral clips by years. An ITDP estimate from November 2021 put India's e-rickshaw fleet at roughly 15 lakh vehicles, of which only about 1.5 lakh, one in ten, were formally registered. Unorganized manufacturers and financiers were adding nearly 10,000 new e-rickshaws to the road every month against 1,500 to 2,000 by organized OEMs. That is the fleet a Play Store takedown cannot touch: vehicles that were never registered in the first place, running batteries from suppliers no regulator ever inspected.

Bar chart showing 1.5 lakh registered e-rickshaws against a total estimated fleet of 15 lakh in India, a 2021 ITDP estimate.

This is not a fringe segment of India's vehicle market: e-rickshaws belong to the electric three-wheeler class, and India accounted for 57 percent of its global sales in 2024, more than the rest of the world combined.

Bar chart comparing India's 57 percent share of global electric three-wheeler sales in 2024 against 43 percent for the rest of the world combined.

A market that large, riding mostly on unregistered vehicles and aftermarket batteries nobody vetted for basic authentication, was always going to produce a story like this one. The surprise is only that it took this long.

RegisteredTotal fleet
E-rickshaws on Indian roads~1.5 lakh~15 lakh
New e-rickshaws added per month1,500 to 2,000 (organized OEMs)~10,000 (unorganized sector)

Figures per a 2021 ITDP estimate. The unorganized sector alone adds roughly five times as many vehicles a month as organized manufacturers.

The honest objection

The strongest case for treating this as already handled is that the government reacted fast and the law already criminalizes the conduct. A same-day app takedown is not bureaucratic foot-dragging, and Section 66 carries a real custodial penalty, not a token fine. On that reading, the system worked exactly as it should: a novel abuse surfaced, the platform response was swift, and any remaining risk is a policing problem rather than a policy gap.

That case holds for this specific app, but not for the vulnerability. A criminal statute deters a person who can be identified and traced; it does very little against an anonymous Bluetooth connection made from a passing vehicle and severed in seconds. It is not even a case of no rules existing: India already mandates a battery-safety standard, AIS-156, for the L-category vehicles e-rickshaws belong to. The standard was amended and phased in from October 2022 to cover battery cells, the battery management system, on-board chargers, and fire risk from thermal propagation. None of that certification touches Bluetooth pairing or authentication: the standard was written for batteries that catch fire, not batteries that take orders from a stranger's phone. And an app-store takedown only ever governs the distribution channel it is issued to. It cannot reach a battery pack already installed with no password, a fleet where nine in ten vehicles were never registered to any authority that could recall or inspect them, or an unorganized supply chain adding thousands of new unvetted units to the road every month. The app was the messenger. The batteries were always exposed.

The Signal

MeitY's takedown, pulling two named apps from two app stores within a day, fixed the version of this problem that made headlines this week. It did not fix the version that will resurface, because that version was never about an app. It is about a fleet of roughly 15 lakh vehicles, nine in ten of them unregistered, running battery hardware built by an unorganized supply chain that was never asked to authenticate a Bluetooth connection to begin with. Watch what happens next: if regulators move to mandate authentication at the battery-management-system level, the fix reaches the actual vulnerability. Stop at app-store removals instead, and the next prank app, or the next person who simply codes their own, will work exactly as well as this one did.

Reporting basis: the app takedown and MeitY's account are per ETV Bharat's report of Secretary S Krishnan's on-record remarks. The technical mechanism, the Bluetooth range, and the lack of password protection are per the Free Press Journal's reporting. The Delhi driver's earnings loss is per The Tribune, citing an ANI-carried eyewitness account. The three-kilometre push incident is per India TV News. The e-rickshaw fleet size, registration share, and monthly build-out figures are from the Institute for Transportation and Development Policy's 2021 report on e-rickshaws in India. India's share of global electric three-wheeler sales is from the International Council on Clean Transportation's COP30 progress report. The IT Act provisions are the statutory text via India Code. BAT-BMS's developer is per Outlook India's reporting. The AIS-156 battery-safety amendments are per a Press Information Bureau release from the Ministry of Road Transport and Highways. The rest-of-world sales share is The Signal's calculation from the ICCT figure.