Indian ‘pranksters’ are using a Chinese app to shut down e-rickshaws mid-ride
Indian Pranksters Exploit Chinese App to Halt E-Rickshaws Mid-Journey
Indian pranksters are using a Chinese - In recent weeks, a growing trend of digital mischief has captured attention across Indian cities, with pranksters leveraging a Chinese-developed app to disable electric rickshaws during operation. The exploit, dubbed "tirri control," has led to vehicles abruptly stopping in busy traffic, leaving drivers stranded and passengers in disarray. Social media platforms have become the stage for these incidents, where videos of e-rickshaw operators scrambling to restart their vehicles after being targeted by remote power cuts have spread rapidly, raising questions about the security of India’s budget electric transport fleet.
The Prank in Action
The technique involves connecting a smartphone to an e-rickshaw’s lithium battery via Bluetooth, a process made simple by the app BAT-BMS. Once linked, users can activate a "discharge switch" feature, originally designed to safely power down batteries during maintenance. This function, now repurposed, allows individuals to cut off the vehicle’s motor mid-ride, causing it to halt suddenly. In some cases, pranksters have even recorded themselves performing the act, sharing the footage online to entertain viewers or mock drivers for their alleged rule violations.
Many of these videos depict drivers stranded on crowded streets, with some resorting to paying nearby pedestrians to restart their vehicles. The fee typically ranges from 100 to 200 rupees (approximately 95p to £1.90), a small sum for those seeking a quick fix. While the act is amusing to some, it poses a serious threat to public safety, particularly in areas where e-rickshaws are a primary mode of transport.
How the Exploit Works
BAT-BMS, developed by Shenzhen Grenergy Technology, is a battery management system (BMS) designed to monitor lithium batteries in electric vehicles. Its capabilities include tracking charge levels, voltage, and temperature, as well as providing alerts to prevent overcharging or deep discharging. However, the app’s security features are minimal, leaving it vulnerable to misuse. This weakness is especially pronounced in budget e-rickshaws, which often use unsecured BMS units with no password or authentication required to access their functions.
Pranksters exploit this by positioning themselves within 10 to 15 meters of an e-rickshaw and connecting to its Bluetooth system. Once connected, they can toggle the discharge switch to shut down the vehicle’s motor. The process is quick and efficient, but the consequences can be chaotic. Drivers are left to navigate traffic with no power, forcing them to push or drag their vehicles to safety. Some have even reported losing wages due to the disruption caused by these sudden stops.
“The vulnerability highlights a critical oversight in the design of these systems,” said Abhishek Bhatnagar, a tech content creator who detailed the issue on X (formerly Twitter) in Hindi. “Dealers and manufacturers must configure passwords on battery management systems before delivering vehicles to customers. Otherwise, anyone with a smartphone and basic technical knowledge can take control of an e-rickshaw and leave it motionless in traffic.”
Security Gaps and Technical Challenges
While the prank appears straightforward in videos, replicating it in real life requires more effort. Pranksters must be close enough to the vehicle to establish a Bluetooth connection, stationary to maintain the link, and lucky enough to find an unsecured BMS unit. This has led some to argue that the simplicity of the app’s interface belies the complexity of its misuse. For instance, not all drivers own smartphones, and those who do may lack the knowledge to navigate the app’s settings. Additionally, many BMS units are programmed entirely in Chinese, further complicating the issue for non-English-speaking users.
The exploit primarily targets e-rickshaws with lithium batteries, as opposed to those using lead-acid batteries. The latter, still common in India, are unaffected due to their proprietary software and password-protected systems. This distinction underscores a broader problem in the adoption of cost-effective components. While lithium batteries offer advantages in efficiency and performance, their reliance on unsecured BMS units creates a risk that has now been weaponized by pranksters.
Industry and Regulatory Reactions
Experts and industry stakeholders have called for urgent action to address the security flaw. Some suggest that manufacturers should integrate more robust authentication protocols, ensuring that only authorized users can access critical functions. Others argue that regulatory bodies should mandate password protection as a standard feature in all BMS systems. These measures could prevent unauthorized access and reduce the potential for digital mischief.
Delhi has recently taken a proactive stance by finalizing a policy to issue new license plates exclusively to electric three-wheelers starting in 2027. This move effectively requires a transition to e-rickshaws across the city, emphasizing the role of these vehicles in India’s transportation landscape. However, the majority of existing e-rickshaws on Indian roads are budget models, which rely on low-cost components—many of which are manufactured in China. This has made them particularly susceptible to the kind of exploitation revealed by the viral trend.
The Ministry of Electronics and Information Technology has initiated an investigation into BAT-BMS, focusing on potential cybersecurity threats and public safety concerns. Despite the scrutiny, the app remains available on Google Play, while it has been removed from Apple’s App Store. This discrepancy raises questions about the extent of the security risk and the urgency of addressing it. For now, the app continues to serve its intended purpose as a monitoring tool, but its misuse has exposed a flaw that could have far-reaching implications.
A Broader Implication for E-Mobility
The trend highlights a growing concern about the security of India’s rapidly expanding e-mobility sector. As more cities adopt electric vehicles to reduce pollution and congestion, the reliance on unsecured technology introduces new vulnerabilities. While BAT-BMS is just one example of this issue, it serves as a cautionary tale for other devices that rely on Bluetooth connectivity. The incident also underscores the need for greater awareness among drivers and passengers about the risks associated with these systems.
For the pranksters, the act is a form of playful retribution. Some claim they target e-rickshaw drivers for breaking traffic rules, such as speeding or cutting through lanes. While this may seem like a harmless joke, the disruption caused by the power cuts can lead to serious consequences. In high-traffic areas, an e-rickshaw stopping suddenly could cause chain reactions, endangering pedestrians and other vehicles. The trend has sparked debates about the balance between convenience and security in India’s electric transport ecosystem.
As the Ministry of Electronics and Information Technology continues its investigation, the focus remains on how to mitigate such risks. One potential solution is to update the BMS software with stronger encryption and authentication mechanisms. This would not only protect against pranksters but also enhance overall safety for users. In the meantime, the viral trend serves as a reminder of the importance of securing the technology that powers everyday mobility. The challenge now is to ensure that these systems are both efficient and safe, preventing them from being used as tools for disruption.