A Hindustan Times investigation demonstrated that a Chinese‑origin remote‑control app can instantly disable an electric rickshaw’s motor, and that the vehicle can be restarted only through the same application. The test, performed with a driver’s consent in the Delhi region, highlights a concrete vulnerability in the Bluetooth‑based telematics systems that many Indian e‑rickshaws rely on for fleet management.
What happened
The reporters installed the third‑party “Rover” app – marketed as a fleet‑management tool – on a smartphone and paired it with the on‑board controller of a Delhi‑area e‑rickshaw. When the researcher activated the app’s remote‑shutdown command, the motor cut power immediately, leaving the driver unable to move the vehicle. The driver could resume operation only after the researcher reopened the app and sent a “restart” signal, which re‑enabled the motor. The test was conducted with the driver’s explicit permission, confirming that the shutdown was not the result of a malfunction but of a deliberate command issued through the app.
Why it matters
India’s e‑rickshaw fleet has surged past 1.5 million units nationwide, according to the Confederation of Indian Industry (CII). These three‑wheelers serve as a primary, low‑cost transport option for millions of commuters, especially in urban and peri‑urban areas. If a remote‑shutdown command can be issued by anyone who has previously paired a device with a vehicle’s Bluetooth Low Energy (BLE) module, the potential for misuse is significant. Malicious actors could exploit the flaw for extortion – demanding payment to restore service – or for sabotage, disrupting traffic flow in congested corridors. The vulnerability therefore threatens not only individual drivers’ livelihoods but also broader urban mobility and public safety.
Background and context
Most e‑rickshaws sold in India incorporate electronic control modules sourced from Chinese manufacturers. These modules expose a BLE interface intended for legitimate purposes such as battery monitoring, firmware updates, and fleet‑management functions. The Hindustan Times report notes that the same BLE channel can be leveraged to issue unauthorized “engine‑off” commands if a device that has previously paired with the vehicle sends the appropriate signal.
The “Rover” app is one of several third‑party tools that fleet operators use to track vehicle location, manage charging cycles, and schedule maintenance. While the app’s advertised features are benign, its ability to send low‑level commands to the vehicle’s controller creates a dual‑use risk. The issue is not confined to a single e‑rickshaw brand; any model that incorporates a similar BLE‑enabled telematics unit could be vulnerable.
Competing claims and uncertainty
The Hindustan Times article presents the technical demonstration as factual, but it does not provide independent verification from the manufacturers of the telematics modules or from the “Rover” app developers. The app’s vendor has not publicly responded to requests for comment, leaving open the question of whether the remote‑shutdown command is an intended feature, a programming oversight, or a security backdoor.
Industry analysts cited in the report warn that without coordinated action, the vulnerability could be weaponized. However, they stop short of quantifying how many e‑rickshaws in active service have the “Rover” app installed or how many drivers have previously paired a device that could later be used for a shutdown. The CII spokesperson’s warning about the scale of the fleet underscores the potential impact but does not constitute evidence that attacks have already occurred.
Thus, while the test confirms that a remote shutdown is technically feasible, the extent to which the exploit is being used in the wild remains uncertain. Further investigation is needed to determine whether any criminal groups have leveraged the app, and whether other third‑party fleet‑management solutions exhibit similar weaknesses.
What to watch next
1. Manufacturer response – Watch for firmware patches from e‑rickshaw control‑module makers. The report recommends that updates incorporate cryptographic authentication of commands, limiting control to authorized platforms.
2. Regulatory action – The Ministry of Road Transport and Highways has been urged to mandate security standards for telematics modules in e‑rickshaws, akin to those applied to passenger cars. Any forthcoming regulations or guidelines will be a key indicator of governmental prioritization of vehicle cybersecurity.
3. App ecosystem scrutiny – If the “Rover” app or similar tools are found to lack proper access controls, app‑store platforms may be pressured to enforce stricter security reviews. Monitoring statements from the app’s developer and any subsequent changes to its permission model will be informative.
4. Law‑enforcement investigations – Reports of actual extortion or sabotage attempts using remote shutdowns would trigger police inquiries. Tracking any such incidents in major cities like Delhi, Mumbai, and Kolkata will help gauge the real‑world threat level.
5. Driver education initiatives – Industry bodies and driver unions may launch campaigns on “Bluetooth hygiene,” advising drivers to delete unused pairings and reset the controller’s pairing list after service. The uptake and effectiveness of such measures will be a practical metric of risk mitigation.
Conclusion
The Hindustan Times test provides concrete evidence that a Chinese‑origin BLE‑based fleet‑management app can remotely disable an e‑rickshaw’s motor and that the vehicle can be restarted only through the same app. Given the rapid expansion of India’s e‑rickshaw fleet, the vulnerability poses a credible risk of disruption, financial loss, and safety hazards if exploited maliciously. While the technical feasibility is established, the scale of actual abuse remains unclear, underscoring the need for transparent manufacturer disclosures, robust firmware updates, and regulatory standards that enforce authentication for telematics commands. In the interim, drivers can reduce exposure by managing Bluetooth pairings and ensuring their vehicles run the latest firmware. Ongoing monitoring of industry responses, regulatory developments, and any reported incidents will be essential to assess whether this proof‑of‑concept evolves into a widespread security challenge for India’s electric‑vehicle ecosystem.
Sources
– Hindustan Times, “The app behind viral e‑rickshaw shutdown videos: How it works and how to prevent it,” https://www.hindustantimes.com/india-news/the-app-behind-viral-e-rickshaw-shutdown-videos-how-it-works-and-how-to-prevent-it-101783048303136.html
Story synopsis gathered from: Hindustan Times – India News — source
Corrections
If you believe this article contains an error, contact Herald Express with the source URL and supporting evidence.

