A prank featured in a number of viral videos this week has spread rapidly across Indian social media, with a growing number of people filming themselves approaching e-rickshaws and stopping them mid-ride using a smartphone app, leaving people stranded in traffic and garnering millions of views on Instagram, YouTube, Reddit and X.

The two apps in question, BAT-BMS and Lossigy, exploit a common vulnerability in unsafe lithium-ion battery packs sold in India: battery management systems that connect via Bluetooth without password protection, turning any nearby smartphone into a kill switch of sorts.
In a test conducted with the driver’s permission, HT downloaded Lossigy from the Google Play Store, located a nearby e-rickshaw, and disabled it with a single tap — a switch that can only be reversed by the app itself, not the vehicle’s own key.
Drivers said that the vulnerability had been exploited intermittently for several months, but the problem had worsened in recent days, coinciding with an increase in the number of viral reels.
Experts say this incident is a stark reminder of how budget equipment can become a bigger technological threat.
Sunil Kumar, who transports students near Jamia Millia Islamia University, said his electric rickshaw stopped a few meters from a metro station for the first time in nearly six months, in the middle of the road with passengers on board. He initially assumed the battery was dead; His passengers paid him half the fare. It was only when he took the battery to recharge that he learned it had never actually discharged.
People science fears
Charu Rajak, who drives in Okhla, said the same problem had been plaguing his car for five months – but on Thursday, it had increased to more than a dozen times in a single day. “I’m worried someone will hit my car from behind in the middle of traffic,” he said.
Rajak owns his car, he has a smartphone, and — after his agent told him about an alternative app — he now knows how to restart it remotely when this happens. He said many drivers rent their own e-rickshaws $$450 a day and they have neither a phone nor the knowledge to move again when they are targeted.
Balvinder Singh Sahni, an Uttar Pradesh-based manufacturer with more than 15,000 e-rickshaws operating in Delhi, said battery systems were never manufactured with passwords because no one expected the lack of security to lead to disruption on this scale. “They are designed so that service engineers can access them for maintenance and diagnostics, which is why password protection is not included,” he said.
However, it seems that the problem is not universal. E-rickshaws still run on older lead-acid batteries, which do not have Bluetooth capability, are not affected, and even some lithium-powered vehicles use proprietary battery management software that is not compatible with third-party apps like BAT-BMS and Lossigy – meaning the vulnerability is highly dependent on which battery pack and BMS chips are running in a particular vehicle.
Delhi Transport Minister Pankaj Singh said his ministry has been directed to verify applications and examine the claims. “I have not received a written complaint yet, but people informed me about this problem in my office. So I asked to get the correct information about this issue,” he said.
The government is looking into the matter
The Union Ministry of Electronics and Information Technology (MITI) is looking into the matter, a person familiar with the matter said. The ministry did not respond to a request for comment.
A senior Delhi government official, who requested anonymity, said the apps allow real-time monitoring of battery status – voltage, temperature, current – a legitimate function that is now being “used maliciously”. The official said many e-rickshaws use Chinese-made battery systems with minimal security, compared to open Bluetooth setups, making it easy to connect without authentication and power outages.
BAT-BMS, developed by Shenzhen Greenergy Technology Co., appears to have been removed from Apple’s App Store, although it remained available on Google Play at press time.
Another person familiar with the matter said that Apple did not pull the app itself, and that its removal may have come after a wave of user reports.
Greenergy did not respond to HT’s emails seeking comment. Lossigy remains available on both app stores. Its developer is listed as Shenzhen Ruicheng Technology Co., Ltd, a name that HT has been unable to independently verify through Chinese corporate records; Searches under this and the alternate name display returned no matching business record.
Cybersecurity experts said the incident reflects a broader failure to secure connected consumer devices entering India.
Sandeep K said: “Communication features can be exploited if authentication is not implemented properly,” said Shukla, director of the International Institute of Information Technology in Hyderabad. “The legal and regulatory void and lack of guardrails in terms of cybersecurity and consumer protection is a problem,” he said, adding: “It is not just a Chinese import problem. Any consumer device that comes into the country, if it is not regulated for security, can face such issues.”
This vulnerability has come to light in a market that has expanded largely unchecked. E-rickshaws sell for approx $1.6 lakh and often operate without license plates, according to Rajak.
Traffic police in some areas have banned them entirely under previous orders and notices, reflecting old complaints about unsafe driving that predated the current unrest. The sector’s rapid growth — a surge in demand for low-cost, last-mile transportation and the cheap supply that has rushed to meet it — has outstripped regulatory scrutiny of key components of vehicles.

