App vulnerability exposed real-time school bus location and other sensitive info to anyone with a free account, cybersecurity co. probe reveals
This story first appeared at The 74, a nonprofit news site covering education. Sign up for free newsletters from The 74 to get more like this in your inbox.
Louisville father Robert Bramel began to panic. Hours after the first day of elementary school ended in August, his two sons hadn’t yet returned home, and he grew frightened for their safety.
It wasn’t until after 7 p.m. that evening when the boys, 5-year-old William and 8-year-old Joseph, arrived on a school bus unharmed.Their delayed return was the result of what officials at Kentucky’s Jefferson County Public Schools dubbed a “transportation disaster”: A tech-enabled bus routing system implemented to improve efficiency backfired and some kids didn’t make it home until nearly 10 p.m.
“I was wondering, ‘Is my son safe?’ ” Bramel told The 74. “Are they safe? Are they OK? Did anything happen?”
Months later, Bramel is once again upset and concerned that his kids had been left vulnerable. Again, technology is the culprit. After the bus delay fiasco, school officials in Louisville signed up for a GPS tracking system offered by the Montana-based company Education Logistics, commonly known as Edulog. Through an app, the system gives parents real-time information about the location of their children’s school buses.
The service offers parents valuable updates about bus arrivals and departures and tools like it have been embraced by families and heralded by school officials across the country, especially when there are busing snafus. Bramel said he now regularly relies on the Edulog service. Yet in Louisville and at districts nationwide, cybersecurity researchers found, vulnerabilities could have left sensitive data open to exploitation by bad actors.
James Sebree, a senior staff research engineer at Maryland-based cybersecurity company Tenable, said his inquiry into Edulog’s Parent Portal began after a friend voiced security concerns as it was being rolled out at his child’s school. What he found was alarming. Because the Edulog apps lacked sufficient authentication and access controls, anybody could access a large swath of sensitive information about students and families with little more than a free account. Among the exposed records were the real-time location of school buses, pick-up and drop-off times, information about scheduled delays, logs of students who were assigned to specific routes and their parents’ contact information.
“It was startling to see the extent to which we were able to access information by bypassing the client-side restrictions, particularly when that information involved minors,” Sebree said in an email to The 74. Sebree said his firm isn’t aware of any instances where the data was actually exploited by bad actors and that Edulog worked quickly to patch the vulnerabilities once Tenable alerted them to the issues in early September. But the bug while it existed, he said, was relatively easy to exploit.
“GPS data in conjunction with parental contact information, if compromised,” he said, “ could lead to scary situations for parents and students.”
School districts nationwide have increasingly turned to GPS tracking systems to help keep parents in the loop about arrival and departure times, particularly amid a national school bus driver shortage that’s led to chaos in many places and education leaders having to rethink their transportation logistics.
In Louisville, the school bus woes forced leaders to cancel classes for several days right at the beginning of the new academic year. Last March, Chicago Public Schools approved a $4 million contract with Edulog to address widespread transportation hurdles of its own, including canceled routes and unreliable service. In some instances, the district has called on taxis and paid $500 transportation stipends to parents to get kids to and from school.
As school districts increasingly turn to thousands of third-party education technology vendors to streamline instruction and across all parts of their operations, the Edulog vulnerability highlights how such arrangements can introduce new privacy and security risks, especially when for-profit companies collect sensitive information like real-time location data involving students.
Edulog claims more than 6 million students are transported on school buses equipped with its software. Recent customers include the school districts in Wichita, Kansas, Newport News, Virginia, and Greenwich, Connecticut, according to data from GovSpend, which tracks government procurement.
In a Dec. 14 blog post on the Edulog website, the company acknowledged that it had been notified of “a potential vulnerability” and that they had “researched the issue and resolved it in the next build of the product.” Yet the company is not contractually obligated to notify their customer districts or parents that the weakness was uncovered, Lam Nguyen-Bull, Edulog’s chief experience officer and general counsel, told The 74 in an interview. At the same time, she recognized the student safety risks involved in the potential breach of real-time GPS data is “certainly a concern.”
“That’s something that districts have to weigh, as it is any time you get into a service like this: What are you willing to risk and is it worth the cost?” she said. “You can take as many cautions as possible, but a creative and dedicated person will always be able to find a vulnerability.”
Mark Hebert, the Jefferson County Public Schools spokesperson, said in an email the Louisville district relies on Edulog’s “Lite” version, which offers parents bus location information “but little else.”
Yet for Bramel, news that the bus tracker that he found so handy carried privacy risks brought newfound anxiety. Bramel said that he had heard rumors about a Edulog security lapse but hadn’t received formal outreach from the district, leaving him to wonder about the types of information that could have been exposed.
He said school transportation in Louisville remains so erratic that he’s considered moving out of the district boundaries altogether. Allowing anyone access to real-time school bus information, he said, could have been catastrophic.
“That’s infuriating because that puts my child at risk, that’s their life in danger,” he said. “A perpetrator could be meeting up or something like that. Human trafficking is still going on.”
The privacy implications of bus trackers
Edulog’s Nguyen-Bull noted that privacy issues have been present ever since GPS services were first introduced to consumers in the late 1980s. Such implications are perhaps amplified in the context of students and schools, but ultimately, she said, they take a back seat for most people.
“The truth is, we generally are lazy beings, right?” Nguyen-Bull said. “We go for convenience.”
Edulog has been providing school districts with bus routing services since 1977, but Nguyen-Bull said it was consumers who ultimately began to push for real-time GPS tracking about a decade ago.
Numerous companies now offer such services for school buses, including in big urban districts like New York City, which just launched its long-awaited tracker last week; Dallas and Los Angeles. The services, however, haven’t always lived up to the expectations of parents or school bus drivers, with both reporting accuracy concerns. The power of real-time information has also introduced new safety risks, Nguyen-Bull said. If the app says a bus is expected to arrive five minutes late, she said that “personal optimizers” will use that information to delay their trek to the bus stop.
“That creates problems where kids are rushing across streets or they’re not being careful in how they approach the bus,” she said, adding that the issue is compounded in instances when the GPS information is inaccurate. “We’ve become so reliant on our phones that we don’t actually look up and see what the reality is.”
Meanwhile, over the last year the federal government has placed a heightened emphasis on cybersecurity risks introduced to the education sector through third-party technology vendors like Edulog. In September, the federal Cybersecurity and Infrastructure Security Agency called on education technology vendors to sign a voluntary pledge and commit to building products with robust security protections. Companies that sign the pledge agree to “radical transparency” and to “take ownership of customer security outcomes.”
In a December blog post, the federal cybersecurity agency noted that school districts should not be required to “bear the cybersecurity burden alone,” and advocated for shifting many responsibilities to vendors.
“Cybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school,” the post noted.
But Nguyen-Bull said her company was uninterested in signing the pledge, calling it meaningless without any clear cybersecurity standards. Yet she also balked at the idea of regulations that would set specific cybersecurity requirements.
“We’re not just going to sign random pledges that ask for slightly different things if we don’t know if we can track those things,” she said. “As a small family-run business, we don’t have five compliance people tracking all of the different pledges and ensuring that we check all of the boxes.”
Sebree, of the cybersecurity firm Tenable, said that transparency about security lapses is key, telling The 74 in an email that vendors “have an ethical responsibility” to inform customers in a timely manner so they can make knowledgeable decisions.
“Notifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here,” he said. “Customers deserve to know when their data has been at risk so they can make decisions in the future with all of the information in hand.”
Louisville father Bramel said that he and other parents should also have been notified — either by the district or the company itself — about the extent that information had been exposed to preserve trust.
“When you’ve got to rely on this system to cover your kids and they can’t have open communication, what other issues are going on besides that issue?” Bramel asked. “I’m honestly shocked there aren’t lawsuits and stuff like that happening right now … because this is completely uncalled for.”