Over 11,000 Indian buses Real Time location data left exposed online

Real-time GPS coordinates for over 11,000 buses in India have been left exposed on the internet for over three weeks.

The data leaked via an ElasticSearch server that was left connected online without a password, according to security researcher Justin Paine, who shared his findings with ZDNet.

The server contained data aggregated from 27 Indian state-owned transportation agencies and included exact, real-time GPS coordinates and route information from buses across all India, active on both inter and intra-city routes.

Real-time map of Indian buses  Image: Justin Paine

For buses, the server usually contained details such as license plates, start-stop stations, route names, and GPS coordinates.

The collected data was different for each transportation agency, and in some cases, it also included details about commuters, such as usernames and emails.

“In some cases, the username field appeared to be populated with a user-supplied username, but in other cases, it did appear to be the user’s full name,” Paine told ZDNet. “Some agencies also appeared to log the user’s email address.”

Bus info exposed online

Image: Justin Paine

Bus info left exposed online

Image: Justin Paine

 

“I was not able to determine how many unique users had their information exposed as I did not want to run such a resource-intense query on someone else’s server,” the researcher said when ZDNet asked about an estimate about the number of users who had their data left online.

Paine discovered the server using search engines for internet-connected devices like Shodan and Censys, on December 5.

“I can confirm the server was accessible as far back as at least November 30, 2018,” he said. “It is unclear how long the server had been exposed [before that date] though.”

UNCLEAR WHO OWNS THE SERVER

The researcher said that despite his best efforts, he wasn’t able to determine who owned the server leaking all this information. However, Paine said that after contacting India’s CERT team, the server was eventually secured on December 22, although CERT India representatives declined to reveal to who the server belonged.

“I will include the significant caveat that I cannot be sure, but it seems very likely this data was being collected by some type of government entity,” the researcher told us.

According to Paine, the exposed server contained data aggregated from the following transportation agencies:

  1. ACTSL — Allahabad City Transport Services Ltd.
  2. AICTSL — Atal Indore City Transport Services Limited
  3. AMCTSL — Agra-Mathura City Transport Services Ltd
  4. BCLL — Bhopal City Link Limited
  5. BMTC — Bangalore Metropolitan Transport Corporation
  6. BSRTC — Bihar State Road Transport Corporation
  7. C-TYPE — ??
  8. CSTC — Calcutta State Transport Corporation
  9. CTU — Chandigarh Transport Undertaking
  10. DTC — Delhi Transport Corporation
  11. HOHO — Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi
  12. IBUS — Indore Bus Rapid Transit System
  13. JCBS — Joint Council of Bus Syndicate
  14. JCTSL — Jaipur City Transport Services Limited
  15. KCTSL — Kanpur City Transport Services Limited
  16. KMRL — Kochi Metro Rail Limited
  17. KP — ??
  18. LCTSL — Lucknow City Transport Services Ltd
  19. LNT — Lukshmi Narayan Travels
  20. MCTSL — Meerut City Transport Services Limited
  21. MINIBUS — ??
  22. NMPL — Nagpur Mahanagar Parivahan Limited
  23. TMT — Thane Municipal Transport
  24. UCTSL — Ujjain City Transport Services Limited
  25. UPSRTC — Uttar Pradesh State Road Transport Corporation
  26. VVMT — Vasai Virar Municipal Transport

In addition, the server also contained data from a 27th agency –KMRL, Kochi Metro Rail Limited– that tracked metros instead of buses.

 Scouring the local press, there are countless of announcements about both private firms and government agencies about implementing bus tracking systems [1234], and there doesn’t appear to be a connection between these entities at all. Currently, the mystery remains.

There are various reasons why this leak is quite worrisome. For starters, leaking usernames and emails would allow the tracking of certain individuals as they move around a city. Second, there’s also the annoyance of having the leaked emails added to spam lists. Third, India is still a country where terrorist attacks happen on an annual basis, and leaking bus real-time route information would certainly help threat actors fine-tune attack plans for maximum damage ahead of time.

This incident is just the latest in a string of data leaks caused by companies failing to secure their ElasticSearch servers properly. Other companies that have exposed user data via ElasticSearch servers include Sky Brasil (32 million subscribers), Brazil’s Federation of Industries of the State of São Paulo (34.8 million users), FitMetrix (35 million users), and a yet-to-be-identified data analytics firm (57 million US citizens and 26 million companies).

4 thoughts on “Over 11,000 Indian buses Real Time location data left exposed online”

  1. It is common to find the ornamental painting and sculptures with shapes depicting an appealing blend of different components from the artist’s religious,
    physical and cultural background. in April 22, 1560, he said:” Your Majesty, you’re invincible and retain the world in awe. It is maybe one of the most worldwide of mediums, both in its practice as well as in its range.

  2. With a great eye and taste for delineation, you may make a
    breeding ground impeccable for almost any exercises linked to feasting room.

    in April 22, 1560, he said:” Your Majesty, you’re invincible and contain the world in awe. Then it makes no difference whether it is heads or tail, one can possibly predict the final results.

  3. In cases like this, you will have to go for a rather simple picture
    frames. in April 22, 1560, he was quoted saying:” Your Majesty, you’re invincible and hold the world in awe. Then it matters not whether it is heads or tail, you can predict the final results.

  4. Should your motive here is to find paintings on the market Melbourne
    or paintings available for sale Brisbane, unfortunately nevertheless,
    you can’t find it here. If this is a matter of
    yours too, then you should learn in regards to the best processes to procure
    such things. Then it makes no difference if it is heads or
    tail, one can predict the final results.

Leave a Comment

Your email address will not be published. Required fields are marked *

5 + two =