Relied on by Parents, Hailed by Schools, GPS Bus Trackers Raise Security Risks

App vulnerability exposed real-time school bus location and other sensitive info to anyone with a free account, cybersecurity co. probe reveals

By Mark Keierleber | January 24, 2024
Eamonn Fitzmaurice/成人抖阴

Louisville father Robert Bramel began to panic. Hours after the first day of elementary school ended in August, his two sons hadn鈥檛 yet returned home, and he grew frightened for their safety. 

It wasn鈥檛 until after 7 p.m. that evening when the boys, 5-year-old William and 8-year-old Joseph, arrived on a school bus unharmed.Their delayed return was the result of what officials at Kentucky鈥檚 Jefferson County Public Schools a 鈥渢ransportation disaster鈥: A tech-enabled bus routing system implemented to improve efficiency backfired and some kids didn鈥檛 make it home until nearly 10 p.m. 

鈥淚 was wondering, 鈥業s my son safe?鈥 鈥 Bramel told 成人抖阴. 鈥淎re they safe? Are they OK? Did anything happen?鈥

Months later, Bramel is once again upset and concerned that his kids had been left vulnerable. Again, technology is the culprit. After the bus delay fiasco, school officials in Louisville signed up for a GPS tracking system offered by the Montana-based company Education Logistics, commonly known as Edulog. Through an app, the system gives parents real-time information about the location of their children鈥檚 school buses. 

The service offers parents valuable updates about bus arrivals and departures and tools like it have been embraced by families and heralded by school officials across the country, especially when there are busing snafus. Bramel said he now regularly relies on the Edulog service. Yet in Louisville and at districts nationwide, cybersecurity researchers found, vulnerabilities could have left sensitive data open to exploitation by bad actors. 

James Sebree, a senior staff research engineer at Maryland-based cybersecurity company Tenable, said his inquiry into Edulog鈥檚 Parent Portal began after a friend voiced security concerns as it was being rolled out at his child鈥檚 school. . Because the Edulog apps lacked sufficient authentication and access controls, anybody could access a large swath of sensitive information about students and families with little more than a free account. Among the exposed records were the real-time location of school buses, pick-up and drop-off times, information about scheduled delays, logs of students who were assigned to specific routes and their parents鈥 contact information. 

鈥淚t was startling to see the extent to which we were able to access information by bypassing the client-side restrictions, particularly when that information involved minors,鈥 Sebree said in an email to 成人抖阴. Sebree said his firm isn鈥檛 aware of any instances where the data was actually exploited by bad actors and that Edulog worked quickly to patch the vulnerabilities once Tenable alerted them to the issues in early September. But the bug while it existed, he said, was relatively easy to exploit. 

鈥淕PS data in conjunction with parental contact information, if compromised,鈥 he said, 鈥 could lead to scary situations for parents and students.鈥

School districts nationwide have increasingly turned to GPS tracking systems to help keep parents in the loop about arrival and departure times, particularly amid a national that鈥檚 led to chaos in many places and education leaders having to rethink their transportation logistics. 

In Louisville, the school bus woes forced leaders to cancel classes for several days right at the beginning of the new academic year. Last March, Chicago Public Schools to address widespread transportation hurdles of its own, including canceled routes and unreliable service. In some instances, the district has called on taxis and paid $500 transportation stipends to parents to get kids to and from school. 

As school districts increasingly turn to thousands of third-party education technology vendors to streamline instruction and across all parts of their operations, the Edulog vulnerability highlights how such arrangements can introduce new privacy and security risks, especially when for-profit companies collect sensitive information like real-time location data involving students. 

Edulog claims more than 6 million students are transported on school buses equipped with its software. Recent customers include the school districts in Wichita, Kansas, Newport News, Virginia, and Greenwich, Connecticut, according to data from GovSpend, which tracks government procurement. 

In , the company acknowledged that it had been notified of 鈥渁 potential vulnerability鈥 and that they had 鈥渞esearched the issue and resolved it in the next build of the product.鈥 Yet the company is not contractually obligated to notify their customer districts or parents that the weakness was uncovered, Lam Nguyen-Bull, Edulog鈥檚 chief experience officer and general counsel, told 成人抖阴 in an interview. At the same time, she recognized the student safety risks involved in the potential breach of real-time GPS data is 鈥渃ertainly a concern.鈥 

鈥淭hat鈥檚 something that districts have to weigh, as it is any time you get into a service like this: What are you willing to risk and is it worth the cost?鈥 she said. 鈥淵ou can take as many cautions as possible, but a creative and dedicated person will always be able to find a vulnerability.鈥 

Mark Hebert, the Jefferson County Public Schools spokesperson, said in an email the Louisville district relies on Edulog鈥檚 鈥淟ite鈥 version, which offers parents bus location information 鈥渂ut little else.鈥 

Yet for Bramel, news that the bus tracker that he found so handy carried privacy risks brought newfound anxiety. Bramel said that he had heard rumors about a Edulog security lapse but hadn鈥檛 received formal outreach from the district, leaving him to wonder about the types of information that could have been exposed. 

He said school transportation in Louisville remains so erratic that he鈥檚 considered moving out of the district boundaries altogether. Allowing anyone access to real-time school bus information, he said, could have been catastrophic. 

鈥淭hat鈥檚 infuriating because that puts my child at risk, that鈥檚 their life in danger,鈥 he said. 鈥淎 perpetrator could be meeting up or something like that. Human trafficking is still going on.鈥 

The privacy implications of bus trackers

Edulog鈥檚 Nguyen-Bull noted that privacy issues have been present ever since GPS services were first introduced to consumers in the late 1980s. Such implications are perhaps amplified in the context of students and schools, but ultimately, she said, they take a back seat for most people.

鈥淭he truth is, we generally are lazy beings, right?鈥 Nguyen-Bull said. 鈥淲e go for convenience.鈥 

Edulog has been providing school districts with bus routing services since 1977, but Nguyen-Bull said it was consumers who ultimately began to push for real-time GPS tracking about a decade ago. 

Numerous companies now offer such services for school buses, including in big urban districts like , which just launched its long-awaited tracker last week; and Los Angeles. The services, however, haven鈥檛 always lived up to the expectations of parents or school bus drivers, with both reporting accuracy concerns. The power of real-time information has also introduced new safety risks, Nguyen-Bull said. If the app says a bus is expected to arrive five minutes late, she said that 鈥減ersonal optimizers鈥 will use that information to delay their trek to the bus stop. 

鈥淭hat creates problems where kids are rushing across streets or they鈥檙e not being careful in how they approach the bus,鈥 she said, adding that the issue is compounded in instances when the GPS information is inaccurate. 鈥淲e鈥檝e become so reliant on our phones that we don鈥檛 actually look up and see what the reality is.鈥 

Meanwhile, over the last year the federal government has placed a heightened emphasis on cybersecurity risks introduced to the education sector through third-party technology vendors like Edulog. In September, the federal Cybersecurity and Infrastructure Security Agency to sign a voluntary pledge and commit to building products with robust security protections. Companies that sign the pledge agree to 鈥渞adical transparency鈥 and to 鈥渢ake ownership of customer security outcomes.鈥 

In a December blog post, the federal cybersecurity agency noted that school districts should not be required to 鈥渂ear the cybersecurity burden alone,鈥 and advocated for shifting many responsibilities to vendors. 

鈥淐ybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school,鈥 the post noted. 

But Nguyen-Bull said her company was uninterested in signing the pledge, calling it meaningless without any clear cybersecurity standards. Yet she also balked at the idea of regulations that would set specific cybersecurity requirements. 

鈥淲e鈥檙e not just going to sign random pledges that ask for slightly different things if we don鈥檛 know if we can track those things,鈥 she said. 鈥淎s a small family-run business, we don鈥檛 have five compliance people tracking all of the different pledges and ensuring that we check all of the boxes.鈥

Sebree, of the cybersecurity firm Tenable, said that transparency about security lapses is key, telling 成人抖阴 in an email that vendors 鈥渉ave an ethical responsibility鈥 to inform customers in a timely manner so they can make knowledgeable decisions. 

鈥淣otifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here,鈥 he said. 鈥淐ustomers deserve to know when their data has been at risk so they can make decisions in the future with all of the information in hand.鈥 

Louisville father Bramel said that he and other parents should also have been notified 鈥 either by the district or the company itself 鈥 about the extent that information had been exposed to preserve trust.

鈥淲hen you鈥檝e got to rely on this system to cover your kids and they can鈥檛 have open communication, what other issues are going on besides that issue?鈥 Bramel asked. 鈥淚鈥檓 honestly shocked there aren鈥檛 lawsuits and stuff like that happening right now 鈥 because this is completely uncalled for.鈥

Get stories like these delivered straight to your inbox. Sign up for 成人抖阴 Newsletter

Republish This Article

We want our stories to be shared as widely as possible 鈥 for free.

Please view 成人抖阴's republishing terms.

On 成人抖阴 Today