Real-time location data for over 11,000 Indian buses left exposed online

Researcher finds real-time GPS and bus route information from 27 Indian transportation agencies left exposed online via an ElasticSearch server.
Written by Catalin Cimpanu, Contributor

Real-time GPS coordinates for over 11,000 buses in India have been left exposed on the internet for over three weeks.

The data leaked via an ElasticSearch server that was left connected online without a password, according to security researcher Justin Paine, who shared his findings with ZDNet.

The server contained data aggregated from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses across all India, active on both inter and intra-city routes.

Real-time map of Indian buses
Image: Justin Paine

For buses, the server usually contained details such as license plates, start-stop stations, route names, and GPS coordinates.

The collected data was different for each transportation agency, and in some cases, it also included details about commuters, such as usernames and emails.

"In some cases, the username field appeared to be populated with a user-supplied username, but in other cases, it did appear to be the user's full name," Paine told ZDNet. "Some agencies also appeared to log the user's email address."

Bus info exposed online
Image: Justin Paine
Bus info left exposed online
Image: Justin Paine

"I was not able to determine how many unique users had their information exposed as I did not want to run such a resource-intense query on someone else's server," the researcher said when ZDNet asked about an estimate about the number of users who had their data left online.

Paine told ZDNet he discovered the server using search engines for internet-connected devices like Shodan and Censys, on December 5.

"I can confirm the server was accessible as far back as at least November 30, 2018," he said. "It is unclear how long the server had been exposed [before that date] though."

Unclear who owns the server

The researcher said that despite his best efforts, he wasn't able to determine who owned the server leaking all this information. However, Paine said that after contacting India's CERT team, the server was eventually secured on December 22, although CERT India representatives declined to reveal to who the server belonged.

"I will include the significant caveat that I cannot be sure, but it seems very likely this data was being collected by some type of government entitiy," the researcher told us.

According to Paine, the exposed server contained data aggregated from the following transportation agencies:

  1. ACTSL -- Allahabad City Transport Services Ltd.
  2. AICTSL -- Atal Indore City Transport Services Limited
  3. AMCTSL -- Agra-Mathura City Transport Services Ltd
  4. BCLL -- Bhopal City Link Limited
  5. BMTC -- Bangalore Metropolitan Transport Corporation
  6. BSRTC -- Bihar State Road Transport Corporation
  7. C-TYPE -- ??
  8. CSTC -- Calcutta State Transport Corporation
  9. CTU -- Chandigarh Transport Undertaking
  10. DTC -- Delhi Transport Corporation
  11. HOHO -- Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi
  12. IBUS -- Indore Bus Rapid Transit System
  13. JCBS -- Joint Council of Bus Syndicate
  14. JCTSL -- Jaipur City Transport Services Limited
  15. KCTSL -- Kanpur City Transport Services Limited
  16. KMRL -- Kochi Metro Rail Limited
  17. KP -- ??
  18. LCTSL -- Lucknow City Transport Services Ltd
  19. LNT -- Lukshmi Narayan Travels
  20. MCTSL -- Meerut City Transport Services Limited
  21. MINIBUS -- ??
  22. NMPL --- Nagpur Mahanagar Parivahan Limited
  23. TMT -- Thane Municipal Transport
  24. UCTSL -- Ujjain City Transport Services Limited
  25. UPSRTC -- Uttar Pradesh State Road Transport Corporation
  26. VVMT -- Vasai Virar Municipal Transport

In addition, the server also contained data from a 27th agency --KMRL, Kochi Metro Rail Limited-- that tracked metros instead of buses.

When ZDNet tried to identify the source of the leak with the help of a local news reporter, things weren't as clear as we've hoped either. Scouring the local press, there are countless of announcements about both private firms and government agencies about implementing bus tracking systems [1, 2, 3, 4], and there doesn't appear to be a connection between these entities at all. Currently, the mystery remains.

There are various reasons why this leak is quite worrisome. For starters, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Second, there's also the annoyance of having the leaked emails added to spam lists. Third, India is still a country where terrorist attacks happen on an annual basis, and leaking bus real-time route information would certainly help threat actors fine-tune attack plans for maximum damage ahead of time.

This incident is just the latest in a string of data leaks caused by companies failing to secure their ElasticSearch servers properly. Other companies that have exposed user data via ElasticSearch servers include Sky Brasil (32 million subscribers), Brazil's Federation of Industries of the State of São Paulo (34.8 million users), FitMetrix (35 million users), and a yet-to-be-identified data analytics firm (57 million US citizens and 26 million companies).

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

Editorial standards