Real-time GPS coordinates for over 11,000 buses in India have been left exposed on the internet for over three weeks.
The data leaked via an ElasticSearch server that was left connected online without a password, according to security researcher Justin Paine, who shared his findings with ZDNet.
The server contained data aggregated from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses across all India, active on both inter and intra-city routes.
For buses, the server usually contained details such as license plates, start-stop stations, route names, and GPS coordinates.
The collected data was different for each transportation agency, and in some cases, it also included details about commuters, such as usernames and emails.
"In some cases, the username field appeared to be populated with a user-supplied username, but in other cases, it did appear to be the user's full name," Paine told ZDNet. "Some agencies also appeared to log the user's email address."
"I was not able to determine how many unique users had their information exposed as I did not want to run such a resource-intense query on someone else's server," the researcher said when ZDNet asked about an estimate about the number of users who had their data left online.
Paine told ZDNet he discovered the server using search engines for internet-connected devices like Shodan and Censys, on December 5.
"I can confirm the server was accessible as far back as at least November 30, 2018," he said. "It is unclear how long the server had been exposed [before that date] though."
Unclear who owns the server
The researcher said that despite his best efforts, he wasn't able to determine who owned the server leaking all this information. However, Paine said that after contacting India's CERT team, the server was eventually secured on December 22, although CERT India representatives declined to reveal to who the server belonged.
"I will include the significant caveat that I cannot be sure, but it seems very likely this data was being collected by some type of government entitiy," the researcher told us.
According to Paine, the exposed server contained data aggregated from the following transportation agencies:
ACTSL -- Allahabad City Transport Services Ltd.
AICTSL -- Atal Indore City Transport Services Limited
AMCTSL -- Agra-Mathura City Transport Services Ltd
BCLL -- Bhopal City Link Limited
BMTC -- Bangalore Metropolitan Transport Corporation
BSRTC -- Bihar State Road Transport Corporation
C-TYPE -- ??
CSTC -- Calcutta State Transport Corporation
CTU -- Chandigarh Transport Undertaking
DTC -- Delhi Transport Corporation
HOHO -- Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi
IBUS -- Indore Bus Rapid Transit System
JCBS -- Joint Council of Bus Syndicate
JCTSL -- Jaipur City Transport Services Limited
KCTSL -- Kanpur City Transport Services Limited
KMRL -- Kochi Metro Rail Limited
KP -- ??
LCTSL -- Lucknow City Transport Services Ltd
LNT -- Lukshmi Narayan Travels
MCTSL -- Meerut City Transport Services Limited
MINIBUS -- ??
NMPL --- Nagpur Mahanagar Parivahan Limited
TMT -- Thane Municipal Transport
UCTSL -- Ujjain City Transport Services Limited
UPSRTC -- Uttar Pradesh State Road Transport Corporation
VVMT -- Vasai Virar Municipal Transport
In addition, the server also contained data from a 27th agency --KMRL, Kochi Metro Rail Limited-- that tracked metros instead of buses.
When ZDNet tried to identify the source of the leak with the help of a local news reporter, things weren't as clear as we've hoped either. Scouring the local press, there are countless of announcements about both private firms and government agencies about implementing bus tracking systems [1, 2, 3, 4], and there doesn't appear to be a connection between these entities at all. Currently, the mystery remains.
There are various reasons why this leak is quite worrisome. For starters, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Second, there's also the annoyance of having the leaked emails added to spam lists. Third, India is still a country where terrorist attacks happen on an annual basis, and leaking bus real-time route information would certainly help threat actors fine-tune attack plans for maximum damage ahead of time.