Tenable Research Finds Security Flaws in K-12 GPS Tracking System

Tenable Research has disclosed several new vulnerabilities in a popular K-12 GPS tracking system.

The security flaws were uncovered by Tenable Research in Edulog’s Parent Portal suite of products. This application is used by over 7,000 U.S. school systems.

Edulog provides school districts throughout North America with products and services related to managing and optimizing transportation needs. Their offerings aid in bus route planning, GPS tracking and fleet management. In particular, Parent Portal and Parent Portal Lite allow parents and school staff access to real-time information regarding a student’s school bus transportation.

Tenable Research Reported Flaws to Edulog

Tenable's Jimi Sebree

Jimi Sebree, senior staff research engineer at Tenable, said Tenable reported these flaws to Edulog on Sept. 13 and as of Nov. 30 the vulnerabilities have been patched.

"To our knowledge, the flaws have not been exploited,” he said. “If exploited, threat actors would have had unrestricted access to any information that could be obtained via the Parent Portal API, including: student names, assigned bus routes, parents’ contact information, GPS data and configuration details of individual school districts (like usernames and encrypted passwords for third-party integrations). Bad actors could also learn real-time details about bus routes and statuses, including the bus’ current location, pick-up and drop-off times, and information related to delays or route changes.”

Edulog’s Parent Portal,like many other GPS-tracking apps, contains a plethora of data, and where there’s sensitive data, there are bad actors, Sebree said. It was also a relatively easy bug to exploit. All attackers would have had to do was create a free account.

Tenable researchers discovered that the backend services for these products lacked sufficient authentication and access control implementations. After creating a free account, researchers attempted to access the API endpoints for the services directly, rather than using the apps. They soon realized that the access control measures in place were client-side restrictions enforced only by the apps themselves. By submitting requests manually, they had seemingly unfettered access to any information that could be obtained via the Parent Portal API.

Tenable does not believe that any one party is to blame, Sebree said.

“While Edulog is responsible for the bugs in their services, they took Tenable’s report seriously and provided fixes in a timely manner,” he said. “This is a situation where everybody involved – Edulog employees, school district agents and parents/users – is responsible for making sure the data relating to these services is handled properly. That said, we always urge vendor transparency, and notifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here. Customers deserve to know when their data has been at risk, so they can make decisions in the future with all of the information in hand.”