Wandering the interwebs

Summary

Recently I discovered an improperly secured ElasticSearch server, Kibana server, and InfluxDB administrative page that was associated with a significant amount of data. After investigating the type of content contained on this server it became apparent this was data related to a number of bus and rail agencies within India. The server in question was tracking roughly 11k unique buses (or trains) across India. Follow assistance from India's CERT team the server was properly secured roughly 21 days after it was discovered. I would like to thank India's CERT team for their assistance in securing this server.

Incident Timeline:

DateEvent
November 30, 2018Open ElasticSearch server, Kibana web interface, and InfluxDB admin page discovered.
December 5, 2018I observed the Kibana web interface had been moved behind authentication, but the ElasticSearch server remained publicly accessible.
December 5, 2018Email sent to India's CERT team to report that the ElasticSearch server and InfluxDB admin page remained exposed.
December 5, 2018Reply received from CERT team acknowledging the report, but they did not provide a reference number.
December 7, 2018Issue appeared to be resolved -- the server appeared to be secured. I indicated that I'd like to write about this report. No reply was received.
December 16, 2018I observed the ElasticSearch server, Kibana web interface, and InfluxDB admin page were again publicly accessible.
December 16, 2018Follow up email sent to India's CERT team to report that the server was no longer secured.
December 21, 2018Asked a contact for assistance with resolving this issue.
December 22, 2018CERT team confirmed the server (ElasticSearch, Kibana, and InfluxDB) had been secured.

What was found:

A server running ElasticSearch, Kibana, and InfluxDB, and other services was discovered. This server was improperly secured, and authentication was not enabled for these 3 services. As such, a great deal of information was readily available to anyone who connected to the server in question on the correct port number.

The open ElasticSearch server:

Multiple indices were publicly accessible. These indices correspond to what are effectively different data sets. The count of documents per index varied significantly -- ranging from 0 documents to 424 million documents.

The "gps_" indices contained real time GPS information for a variety of agencies (more on that below). This appeared to be the near real time location of various buses (or trains) throughout India.

This GPS information could then be easily mapped to show the location of the roughly 11k unique buses being tracked by this ElasticSearch server (red dots equal more data points):

The breakdown of these GPS data points by agency shows the following pattern over a 24 hour period of time:

The highest volume of GPS data points (by a lot) comes from Joint Council of Bus Syndicate (JCBS), which is one of the largest public transport bus unions of West Bengal.

The "dispatch_" indices contained what appeared to be information regarding riders of buses (or trains in the case of KMRL) using those various agencies.

Who are these agencies?

AcronymAgencyInterested info
ACTSLAllahabad City Transport Services Limited-- http://uputd.gov.in/allahabadctsl
AICTSLAtal Indore City Transport Services Limited-- http://citybusindore.com/

-- http://aictslportal.infinium.management/ListofRoutes/ViewRoutes
AMCTSLAgra-Mathura City Transport Services Limited-- http://amctsl.org

-- http://uputd.gov.in/agractsl
BCLLBhopal City Link Limited-- http://mybusbhopal.in/
BMTCBangalore Metropolitan Transport Corporation-- http://www.mybmtc.com/
BSRTCBihar State Road Transport Corporation-- http://bsrtc.org.in/
C-TYPECould not locate anything conclusive
CSTCCalcutta State Transport Corporation-- https://en.wikipedia.org/wiki/Calcutta_State_Transport_Corporation
CTUChandigarh Transport Undertaking-- http://chdctu.gov.in/
DTCDelhi Transport Corporation-- https://en.wikipedia.org/wiki/Delhi_Transport_Corporation
HOHOHop On Hop Off Sightseeing Bus Service, Govt. of Delhi-- http://hohodelhi.com/
IBUSIndore Bus Rapid Transit System-- https://en.wikipedia.org/wiki/Indore_Bus_Rapid_Transit_System
JCBSJoint Council of Bus Syndicate
JCTSLJaipur City Transport Services Limited-- https://en.wikipedia.org/wiki/Jaipur_City_Transport_Services_Limited
KCTSLKanpur City Transport Services Limited-- https://en.wikipedia.org/wiki/Kanpur_City_Transport_Services_Limited

-- http://uputd.gov.in/kanpurctsl
KMRLKochi Metro Rail Limited-- http://www.kochimetro.org/
KPCould not locate anything conclusive
LCTSLLucknow City Transport Services Limited-- http://lctsl.org/
LNTLukshmi Narayan Travels
MCTSLMeerut City Transport Services Limited-- http://mctsl.org/FareRules.aspx
MINIBUSCould not locate anything conclusive
NMPLNagpur Mahanagar Parivahan Limited-- https://en.wikipedia.org/wiki/Nagpur_Mahanagar_Parivahan_Limited
TMTThane Municipal Transport-- https://en.wikipedia.org/wiki/Thane_Municipal_Transport

-- https://thanecity.gov.in/department_details.php?id=34
UCTSLUjjain City Transport Services Limited
UPSRTCUttar Pradesh State Road Transport Corporation-- http://www.upsrtc.com/

-- "UPSRTC carries over 523 million passengers annually"
VVMTVasai Virar Municipal Transport-- https://en.wikipedia.org/wiki/Vasai-Virar_City_Municipal_Corporation

-- http://vvcmc.in/vvmc/?page_id=523&lang=en

In some cases the username value used by the agency appeared to be the rider's full name:

For some other agencies it appears the username seemed to be user-configured value, but in those cases the user's email address was also exposed:

Baseds on the userId or the email address value it would be possible to get a reasonable idea of where an individual rider had traveled, and when:

You’ve successfully subscribed to
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.