The NDTV Reality Check team demonstrated that the Epoch Li-ion battery-management app can remotely shut off a compatible e-rickshaw in Delhi [1].

This capability raises significant safety concerns for drivers and passengers. If a vehicle can be disabled via a smartphone app without the driver's consent, it creates a vulnerability that could lead to accidents or targeted disruptions in urban traffic.

The test focused on the Epoch Li-ion battery-management system to investigate claims regarding the BAT-BMS app's ability to disable vehicles remotely [1, 2]. During the demonstration in Delhi, the team used the app to trigger a shutdown of the vehicle. The e-rickshaw powered down within seconds after a single tap in the app [1].

This remote-kill functionality is typically designed for fleet management or theft prevention. However, the ease with which the system was accessed and triggered during the test highlights a potential gap in security protocols for these electric vehicles [1, 2].

Similar reports had previously surfaced involving the BAT-BMS app, which also showed the ability to disable vehicles from a distance [1, 2]. The NDTV team sought to verify these claims by conducting a live test to show how a digital command translates into a physical loss of power on a public road.

While the manufacturers of these battery management systems provide these tools for administrative control, the lack of stringent authentication, or safeguards, could allow unauthorized users to interfere with vehicle operations [1]. The demonstration underscores the tension between remote management convenience and the physical safety of the operator.

The e-rickshaw powered down within seconds after a single tap in the app

The ability to remotely disable a vehicle via a third-party application suggests a critical vulnerability in the cybersecurity of low-cost electric vehicle components. As e-rickshaws become central to Delhi's last-mile connectivity, the risk of remote interference could lead to systemic traffic failures or safety hazards if these 'kill switches' are accessed by malicious actors rather than authorized owners.