A security researcher has found that the real-time GPS coordinates for over 11,000 buses in India was left exposed online for more than three weeks.
The researcher, Justin Paine claimed that the data was leaked through an ElasticSearch server that was found connected online without a password. The server contained data collected from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses all over India, active on both inter and intra-city routes.
Usually for buses, the server has information such as license plates, start-stop stations, route names, and GPS coordinates.
The data that was collected was different for each transportation agency while in some cases it includes details about commuters, such as usernames and emails. It is however unclear how many unique users’ information has been exposed.
Paine said that he found the server using search engines for internet-connected devices like Shodan and Censys, on December 5. He states that the server was accessible as far back as at least November 30, 2018 but he is not sure for how long the server had been exposed.
The researcher was not able to determine the owner of the server that leaked the data. Paine had contacted India’s CERT team and the server was finally secured on December 22. The CERT India representatives however declined to reveal the owner of the server.
According to Paine, the exposed server contained data collected from the following transportation agencies:
ACTSL — Allahabad City Transport Services Ltd.
AICTSL — Atal Indore City Transport Services Limited
AMCTSL — Agra-Mathura City Transport Services Ltd
BCLL — Bhopal City Link Limited
BMTC — Bangalore Metropolitan Transport Corporation
BSRTC — Bihar State Road Transport Corporation
CSTC — Calcutta State Transport Corporation
CTU — Chandigarh Transport Undertaking
DTC — Delhi Transport Corporation
HOHO — Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi
IBUS — Indore Bus Rapid Transit System
JCBS — Joint Council of Bus Syndicate
JCTSL — Jaipur City Transport Services Limited
KCTSL — Kanpur City Transport Services Limited
KMRL — Kochi Metro Rail Limited
LCTSL — Lucknow City Transport Services Ltd
LNT — Lukshmi Narayan Travels
MCTSL — Meerut City Transport Services Limited
NMPL — Nagpur Mahanagar Parivahan Limited
TMT — Thane Municipal Transport
UCTSL — Ujjain City Transport Services Limited
UPSRTC — Uttar Pradesh State Road Transport Corporation
VVMT — Vasai Virar Municipal Transport
Besides the server also contained data from the agency KMRL, Kochi Metro Rail Limited– that tracked metros instead of buses.
There are certain reasons these types of leaks are alarming. Firstly, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Secondly, there are chances that the leaked emails may be added to lists. Third, in a country like India where terrorist attacks happen repeatedly, leaking bus real-time route information would help the attackers to plan their attacks for maximum damage.
This data leak is the latest incident belonging to the ones caused by companies failing to secure their ElasticSearch servers properly. Some other companies that have exposed user data via ElasticSearch servers are Sky Brasil (32 million subscribers), Brazil’s Federation of Industries of the State of Sao Paulo (34.8 million users), FitMetrix (35 million users) etc.