FASTag is a toll collection system in India based on Radio Frequency Identification (RFID) technology. FASTag directly makes payments from the bank account to the toll plaza without stopping for transactions.
Cyble Research Labs found a publicly exposed website containing plain text data of an unidentified toll plaza. The exposed website has information related to transactions, vehicle registration, vehicle type, tag ID, digital signature, etc., used for transactions.
Figure 1 shows the website containing the configuration data of the website.
The folder XmlFiles contains data related to the various transections starting from 27 August 2021 till 27 December 2021, as shown in Figure 2.
We found that the folder contains XML files containing data related to FASTag transactions during our analysis.
The following information is present in the XML files:
- Plaza ID
- Vehicle Tag ID
- Vehicle Class
- Vehicle Registration Number
- Digital Signature Information
The XML file containing further details is shown in Figure 3.
Conclusion
This data exposure poses third-party risks. Though the risk level is relatively low, attackers could potentially leverage the exposed data to carry out social engineering attacks.
Our Recommendations
Following essential cybersecurity best practices creates the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Regularly monitor your public-facing network assets.
- External APIs should implement authentication measures to keep critical data confidential.
- Regularly perform audits and Vulnerability Assessment and Penetration Testing (VAPT) of organizational assets, including network and software.
- Implement strict Identity and Access Management (IAM) policy.
