Indian Railways Information and Data Security
I have been documenting about Indian Railways and its IT systems over the past two years. In a previous post I criticized the railways plans of monetizing the data without securing it in the first place, when the Maharashtra Police announced they found out the irctc has been hacked and they were investigating it. The railways denied the claim and moved on as what bureaucrats are best at.
I have been looking at security of several railway systems documenting things. I reported most of these to the entire railways IT team with no official response from them for at-least 8 months now. I am gonna write about few of these vulnerabilities which have been closed or which do not have any sensitive information. Note: Indian Railways is massive and the organization structure for IT systems alone include CRIS, IRCTC and their own IT teams for each division.
Integrated Coaching Management System ICMS
The ICMS portal of railways is an integrated management system to track coaches and trains for operations. This website has information of every coach manufacturing date, position in the train for each trip updated by each division for operations. A cached cookie which never expired let google index this website and gave access to anyone to use this website. This was a common knowledge among Indian Railways fan forums and the moderators had to specifically ban people from discussions and using this website in the forums. This bug has been fixed in a successive server upgrade, but one can essentially hack it back and is definitely possible. Internal websites like these should instead be on a virtual network not accessible to everyone on the internet. The railways can easily do this through RailTel instead of giving free wifi to others.
A screenshot of ICMS pages which were accessible for everyone for few months
National Train Enquiry System NTES
The rail radar or the National Train Enquiry System was designed to help passengers know the real time status of trains. The website was launched first followed by an android application later in 2014. NTES even though quite useful doesn’t has all the information required by a passenger like PNR status at the same website/application. This made startups like ixigo, travelyaari and several others provide all of this information under one application. Until early 2015 NTES android application was communicating to its servers over http with not much security. Somewhere in mid 2015 they started using AES 256 encryption to encrypt the data from servers and the application to restrict people mining this data. But this didn’t stop startups to further exploit this data by breaking the AES encryption. The following video shows how a popular train application ixigo breaks this encryption to mine railways data.
All of this data is publicly accessible, but they don’t want to give access. With the rise of startups increasingly hitting railway servers for data, the railways announced monetizing this data by closing the bugs and providing these API’s as service to the same startups at a price in 2016. Most of these API’s were supposed to be made available in the first place under National Data Sharing and Accessibility Policy of 2012. The railways chief data officer ignored and did not comply in releasing any of this data. According to the policy they were also supposed to give out plans for charging data under 6 months if data can’t be made open. The whole issue is because railways failed to do its job the right way firms started exploiting their IT systems and now railways wants to capitalize the situation. The bigger question is why is the railways not reporting these firms of exploiting their systems and is instead playing merry go round with them. Breaking encrypted content is an offense under the Information Technology Act. But the selective implementation of rule of law around this is really bad.
I have emailed the railways about additional vulnerabilities to their chief data officer and everyone in their IT team from their directory. I never received a formal reply. I later called two of them up to confirm whether they received my mails. In all there are few more open bugs which they haven’t fixed in 8 months of me reporting them. It’s been too long i didn’t disclose this. As a researcher on Intelligent Transportation Systems I look into most of these issues and I do require access to railway data for research.
screenshot of my third mail to railway authorities about security issues with railway IT systems.
Originally published at www.lostprogrammer.com on December 3, 2016.