The story so far: Over the last week, social media has been flooded with videos depicting individuals using mobile applications such as BAT-BMS, Lossigy and Epoch-i-ion to wirelessly disable the batteries of e-rickshaws using Bluetooth.

The videos have largely been shared as “pranks” — however cruel, unethical and unlawful they may be — while some have speculated that the applications were designed for high-tech sabotage by China’s manufacturers.

The reality is far less dramatic, yet still worth understanding carefully.

How battery management systems are diagnosed?

Applications such as BAT-BMS exist to allow fleet owners and service technicians to easily diagnose battery problems such as overvoltage or undervoltage.

In most vehicles, battery management and diagnostics require physical access to the module and the use of a computer or other device to gather information.

Battery apps taken down in India after stalled e-rickshaw rides Over time, manufacturers have begun equipping these modules with Bluetooth capabilities, making diagnostics and repairs easier without requiring extensive disassembly.

Applications such as BAT-BMS are typically developed alongside the battery management systems they support and are almost certainly not intended to sow chaos by disabling as many vehicles as possible.

Instead, they search for specific devices advertising themselves as battery management modules over Bluetooth, connect to one device at a time, display diagnostic information, and provide basic debugging functions.

Looking under the hood: How e-rickshaws are built and why imported electronics matter?

The BAT-BMS application is specifically designed to discover and connect to BMS modules manufactured by a Chinese electronics company, Jiabaida.

A seven-year-old public discussion on the open source code sharing platform GitHub documented a lack of authentication in Jiabaida BMS modules, with the author even providing a hacky workaround for this obvious security flaw.

Centre orders blocking of battery management apps used to turn off e-rickshaws Over time, this vulnerability appears to have been discovered and subsequently exploited by individuals who began popularising its misuse.

In particular, some users circulated short-form “prank” videos demonstrating how it could be used to disable e-rickshaw batteries.

Almost all of the components that make up e-rickshaws are imported from China.

In fact, one could order almost all the parts required to assemble one from consumer websites such as Alibaba Group or AliExpress.Of course, one could go even further and import a fully pre-assembled e-rickshaw from China through these platforms, though the shipping fees and Customs duties might eat into your margin.

Most manufacturers import the electronic components required to assemble e-rickshaws from China, leaving only the fabrication and assembly of the aluminium frame and chassis to be done domestically.

When technology is blamed for system vulnerabilities It appears that whenever something goes wrong, the government is quick enough to attribute blame to digital platforms.

Telegram was ordered to be blocked during the Re-NEET period, reportedly to protect individuals from fraudsters claiming to sell leaked examination question papers in advance.

Similarly, following viral “prank” incidents, the government directed Google and Apple to remove several popular battery management apps from their respective app stores.

In both cases, the government has chosen to restrict access to applications rather than address the underlying issues in a meaningful way.

While the two applications are fundamentally different — one being a widely used communication platform with social media features, and the other a set of utilities for diagnosing battery issues — the reasoning behind both decisions appears similar.

In essence, when a particular technology becomes associated with harm, restricting access to that technology is seen as a way to eliminate the harm itself.

Hypothetically, if the Re-NEET examination were to be compromised, the breach would have to occur at the source or during transit — during question formulation, printing, or transport.

The breach would not originate from, nor be enabled by, the Telegram platform itself.

Blocking Telegram in this hypothetical scenario would only temporarily disrupt the sale of leaked question papers, until sellers migrate to another platform of choice.

Similarly, restricting battery management applications does not make vulnerable BMS modules any more secure.

If anything, it might further inconvenience users who have been affected and are trying to restore functionality to their vehicles.

How should supply chain regulation be structured?

Contrary to popular belief, regulatory frameworks governing e-rickshaws do exist.

Gazette notifications GSR 709(E) dated 8.10.2014 and S.O.

2590(E) dated 8.10.2014 define requirements related to overall dimensions, tyres, brakes, horns, and vehicle identification number standards, but do not provide detailed standards for electronic components.

Globally, as security risks become increasingly associated with the supply chains, various strategies have been adopted to address vulnerabilities before a product reaches the assembly line.

These include vetting suppliers, auditing the firmware of electronic components, and tracing the origin and capabilities of individual parts.

Such measures can be mandated through regulation.

A simple Google search conducted seven years ago could have alerted e-rickshaw manufacturers to the security issues in the BMS modules they use.

Frameworks that establish standards, as well as responsibilities and liabilities for manufacturers, should ideally extend to all products containing electronic components, not just vehicles or specifically e-rickshaws.

While sourcing parts from the cheapest available source might be suitable for building a quick prototype, the long-term production and marketing of products should require greater effort and due diligence than simply placing a few orders and setting up an assembly line. (Karan is an independent security researcher from New Delhi, India.)