Real-time GPS coordinates for over 11,000 buses in India have been left exposed on the internet for over three weeks.
The data leaked via an ElasticSearch server that was left connected online without a password, according to security researcher Justin Paine, who shared his findings with ZDNet.
The server contained data aggregated from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses across all India, active on both inter and intra-city routes.
For buses, the server usually contained details such as license plates, start-stop stations, route names, and GPS coordinates.
The collected data was different for each transportation agency, and in some cases, it also included details about commuters, such as usernames and emails.
"In some cases, the username field appeared to be populated with a user-supplied username, but in other cases, it did appear to be the user's full name," Paine told ZDNet. "Some agencies also appeared to log the user's email address."
"I was not able to determine how many unique users had their information exposed as I did not want to run such a resource-intense query on someone else's server," the researcher said when ZDNet asked about an estimate about the number of users who had their data left online.
Paine told ZDNet he discovered the server using search engines for internet-connected devices like Shodan and Censys, on December 5.
"I can confirm the server was accessible as far back as at least November 30, 2018," he said. "It is unclear how long the server had been exposed [before that date] though."
The researcher said that despite his best efforts, he wasn't able to determine who owned the server leaking all this information. However, Paine said that after contacting India's CERT team, the server was eventually secured on December 22, although CERT India representatives declined to reveal to who the server belonged.
"I will include the significant caveat that I cannot be sure, but it seems very likely this data was being collected by some type of government entitiy," the researcher told us.
According to Paine, the exposed server contained data aggregated from the following transportation agencies:
In addition, the server also contained data from a 27th agency --KMRL, Kochi Metro Rail Limited-- that tracked metros instead of buses.
When ZDNet tried to identify the source of the leak with the help of a local news reporter, things weren't as clear as we've hoped either. Scouring the local press, there are countless of announcements about both private firms and government agencies about implementing bus tracking systems [1, 2, 3, 4], and there doesn't appear to be a connection between these entities at all. Currently, the mystery remains.
There are various reasons why this leak is quite worrisome. For starters, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Second, there's also the annoyance of having the leaked emails added to spam lists. Third, India is still a country where terrorist attacks happen on an annual basis, and leaking bus real-time route information would certainly help threat actors fine-tune attack plans for maximum damage ahead of time.
This incident is just the latest in a string of data leaks caused by companies failing to secure their ElasticSearch servers properly. Other companies that have exposed user data via ElasticSearch servers include Sky Brasil (32 million subscribers), Brazil's Federation of Industries of the State of São Paulo (34.8 million users), FitMetrix (35 million users), and a yet-to-be-identified data analytics firm (57 million US citizens and 26 million companies).