An improperly secured ElasticSearch server leaked data from 11k unique buses associated with 27 Indian government agencies.
Recently I discovered an improperly secured ElasticSearch server, Kibana server, and InfluxDB administrative page that was associated with a significant amount of data. After investigating the type of content contained on this server it became apparent this was data related to a number of bus and rail agencies within India. The server in question was tracking roughly 11k unique buses (or trains) across India. Follow assistance from India's CERT team the server was properly secured roughly 21 days after it was discovered. I would like to thank India's CERT team for their assistance in securing this server.
|November 30, 2018||Open ElasticSearch server, Kibana web interface, and InfluxDB admin page discovered.|
|December 5, 2018||I observed the Kibana web interface had been moved behind authentication, but the ElasticSearch server remained publicly accessible.|
|December 5, 2018||Email sent to India's CERT team to report that the ElasticSearch server and InfluxDB admin page remained exposed.|
|December 5, 2018||Reply received from CERT team acknowledging the report, but they did not provide a reference number.|
|December 7, 2018||Issue appeared to be resolved -- the server appeared to be secured. I indicated that I'd like to write about this report. No reply was received.|
|December 16, 2018||I observed the ElasticSearch server, Kibana web interface, and InfluxDB admin page were again publicly accessible.|
|December 16, 2018||Follow up email sent to India's CERT team to report that the server was no longer secured.|
|December 21, 2018||Asked a contact for assistance with resolving this issue.|
|December 22, 2018||CERT team confirmed the server (ElasticSearch, Kibana, and InfluxDB) had been secured.|
What was found:
A server running ElasticSearch, Kibana, and InfluxDB, and other services was discovered. This server was improperly secured, and authentication was not enabled for these 3 services. As such, a great deal of information was readily available to anyone who connected to the server in question on the correct port number.
The open ElasticSearch server:
Multiple indices were publicly accessible. These indices correspond to what are effectively different data sets. The count of documents per index varied significantly -- ranging from 0 documents to 424 million documents.
The "gps_" indices contained real time GPS information for a variety of agencies (more on that below). This appeared to be the near real time location of various buses (or trains) throughout India.
This GPS information could then be easily mapped to show the location of the roughly 11k unique buses being tracked by this ElasticSearch server (red dots equal more data points):
The breakdown of these GPS data points by agency shows the following pattern over a 24 hour period of time:
The highest volume of GPS data points (by a lot) comes from Joint Council of Bus Syndicate (JCBS), which is one of the largest public transport bus unions of West Bengal.
The "dispatch_" indices contained what appeared to be information regarding riders of buses (or trains in the case of KMRL) using those various agencies.
Who are these agencies?
|ACTSL||Allahabad City Transport Services Limited||-- http://uputd.gov.in/allahabadctsl|
|AICTSL||Atal Indore City Transport Services Limited||-- http://citybusindore.com/
|AMCTSL||Agra-Mathura City Transport Services Limited||-- http://amctsl.org
|BCLL||Bhopal City Link Limited||-- http://mybusbhopal.in/|
|BMTC||Bangalore Metropolitan Transport Corporation||-- http://www.mybmtc.com/|
|BSRTC||Bihar State Road Transport Corporation||-- http://bsrtc.org.in/|
|C-TYPE||Could not locate anything conclusive|
|CSTC||Calcutta State Transport Corporation||-- https://en.wikipedia.org/wiki/Calcutta_State_Transport_Corporation|
|CTU||Chandigarh Transport Undertaking||-- http://chdctu.gov.in/|
|DTC||Delhi Transport Corporation||-- https://en.wikipedia.org/wiki/Delhi_Transport_Corporation|
|HOHO||Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi||-- http://hohodelhi.com/|
|IBUS||Indore Bus Rapid Transit System||-- https://en.wikipedia.org/wiki/Indore_Bus_Rapid_Transit_System|
|JCBS||Joint Council of Bus Syndicate|
|JCTSL||Jaipur City Transport Services Limited||-- https://en.wikipedia.org/wiki/Jaipur_City_Transport_Services_Limited|
|KCTSL||Kanpur City Transport Services Limited||-- https://en.wikipedia.org/wiki/Kanpur_City_Transport_Services_Limited
|KMRL||Kochi Metro Rail Limited||-- http://www.kochimetro.org/|
|KP||Could not locate anything conclusive|
|LCTSL||Lucknow City Transport Services Limited||-- http://lctsl.org/|
|LNT||Lukshmi Narayan Travels|
|MCTSL||Meerut City Transport Services Limited||-- http://mctsl.org/FareRules.aspx|
|MINIBUS||Could not locate anything conclusive|
|NMPL||Nagpur Mahanagar Parivahan Limited||-- https://en.wikipedia.org/wiki/Nagpur_Mahanagar_Parivahan_Limited|
|TMT||Thane Municipal Transport||-- https://en.wikipedia.org/wiki/Thane_Municipal_Transport
|UCTSL||Ujjain City Transport Services Limited|
|UPSRTC||Uttar Pradesh State Road Transport Corporation||-- http://www.upsrtc.com/
-- "UPSRTC carries over 523 million passengers annually"
|VVMT||Vasai Virar Municipal Transport||-- https://en.wikipedia.org/wiki/Vasai-Virar_City_Municipal_Corporation
In some cases the username value used by the agency appeared to be the rider's full name:
For some other agencies it appears the username seemed to be user-configured value, but in those cases the user's email address was also exposed:
Baseds on the userId or the email address value it would be possible to get a reasonable idea of where an individual rider had traveled, and when: