08 Jan 2019

A security researcher has found that the real-time GPS coordinates for over 11,000 buses in India was left exposed online for more than three weeks.

The researcher, Justin Paine claimed that the data was leaked through an ElasticSearch server that was found connected online without a password. The server contained data collected from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses all over India, active on both inter and intra-city routes.

Usually for buses, the server has information such as license plates, start-stop stations, route names, and GPS coordinates.

The data that was collected was different for each transportation agency while in some cases it includes details about commuters, such as usernames and emails. It is however unclear how many unique users’ information has been exposed.

Paine said that he found the server using search engines for internet-connected devices like Shodan and Censys, on December 5. He states that the server was accessible as far back as at least November 30, 2018 but he is not sure for how long the server had been exposed.

The researcher was not able to determine the owner of the server that leaked the data. Paine had contacted India’s CERT team and the server was finally secured on December 22. The CERT India representatives however declined to reveal the owner of the server.

According to Paine, the exposed server contained data collected from the following transportation agencies:

ACTSL — Allahabad City Transport Services Ltd.

AICTSL — Atal Indore City Transport Services Limited

AMCTSL — Agra-Mathura City Transport Services Ltd

BCLL — Bhopal City Link Limited

BMTC — Bangalore Metropolitan Transport Corporation

BSRTC — Bihar State Road Transport Corporation

C-TYPE

CSTC — Calcutta State Transport Corporation

CTU — Chandigarh Transport Undertaking

DTC — Delhi Transport Corporation

HOHO — Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi

IBUS — Indore Bus Rapid Transit System

JCBS — Joint Council of Bus Syndicate

JCTSL — Jaipur City Transport Services Limited

KCTSL — Kanpur City Transport Services Limited

KMRL — Kochi Metro Rail Limited

KP —

LCTSL — Lucknow City Transport Services Ltd

LNT — Lukshmi Narayan Travels

MCTSL — Meerut City Transport Services Limited

MINIBUS —

NMPL — Nagpur Mahanagar Parivahan Limited

TMT — Thane Municipal Transport

UCTSL — Ujjain City Transport Services Limited

UPSRTC — Uttar Pradesh State Road Transport Corporation

VVMT — Vasai Virar Municipal Transport

Besides the server also contained data from the agency KMRL, Kochi Metro Rail Limited– that tracked metros instead of buses.

There are certain reasons these types of leaks are alarming. Firstly, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Secondly, there are chances that the leaked emails may be added to lists. Third, in a country like India where terrorist attacks happen repeatedly, leaking bus real-time route information would help the attackers to plan their attacks for maximum damage.

This data leak is the latest incident belonging to the ones caused by companies failing to secure their ElasticSearch servers properly. Some other companies that have exposed user data via ElasticSearch servers are Sky Brasil (32 million subscribers), Brazil’s Federation of Industries of the State of Sao Paulo (34.8 million users), FitMetrix (35 million users) etc.

Leave your thought