Remote Kill Switch Flaw Prompts India to Ban Three E-Rickshaw Apps

Three mobile apps that allowed unauthorized users to remotely disable moving e-rickshaws have been banned by Indian authorities after videos showed them being used to stop vehicles mid-journey.

CSBadmin
3 Min Read

Apps Exploited for Remote Shutdown

The Indian government has ordered Google and Apple to remove three mobile applications BAT-BMS, Lossigy, and Epoch-i-ion from their app stores following reports that the apps were being misused to remotely disable e-rickshaws and other battery powered three wheelers while they were in motion. Authorities have warned that additional apps with similar remote kill functionality could face the same ban. The order comes after viral videos showed individuals locating nearby e-rickshaws through connected battery management systems and switching them off with a single tap, sometimes with passengers aboard.

Design Flaws and Safety Risks

The applications were originally designed as legitimate Battery Management System (BMS) tools, enabling fleet operators and vehicle owners to monitor battery levels, track location, and remotely immobilize vehicles in cases of loan default or theft. However, the remote kill switch capability was exploited by unauthorized actors, including rival financiers and pranksters, to disable vehicles belonging to other operators. The apps maintained a persistent API or Bluetooth link between the e-rickshaw’s battery controller and the app’s backend, allowing anyone with access credentials to send a shutdown command remotely. Security researchers have long warned that IoT enabled kill switches in low cost electric vehicles are particularly vulnerable, as manufacturers often prioritize cost and functionality over robust access control, making credential leakage a simple attack vector.

Government Response and Recommendations

India has invoked Section 69A of the Information Technology Act to block the applications, a legal framework previously used in the 2020 ban of 59 apps over security concerns. State and central cyber units formally notified Google and Apple to remove the non compliant apps from their platforms. The incident highlights a growing concern around remote disablement features in affordable electric vehicles across India’s booming e-rickshaw and last mile mobility sector. As BMS vendors race to add remote lock and anti theft features, weak authentication can transform safety features into attack surfaces. Fleet operators are advised to enforce multi factor authentication for remote disablement commands, implement geofencing and speed based lockouts, maintain audit logs with verified device ownership, and conduct third party security audits of BMS backend APIs before public release.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.