Real-time location information leaked by 27 Indian government agencies

leak Jan 7, 2019


Recently I discovered an improperly secured ElasticSearch server, Kibana server, and InfluxDB administrative page that was associated with a significant amount of data. After investigating the type of content contained on this server it became apparent this was data related to a number of bus and rail agencies within India. The server in question was tracking roughly 11k unique buses (or trains) across India. Follow assistance from India's CERT team the server was properly secured roughly 21 days after it was discovered. I would like to thank India's CERT team for their assistance in securing this server.

Incident Timeline:

Date Event
November 30, 2018 Open ElasticSearch server, Kibana web interface, and InfluxDB admin page discovered.
December 5, 2018 I observed the Kibana web interface had been moved behind authentication, but the ElasticSearch server remained publicly accessible.
December 5, 2018 Email sent to India's CERT team to report that the ElasticSearch server and InfluxDB admin page remained exposed.
December 5, 2018 Reply received from CERT team acknowledging the report, but they did not provide a reference number.
December 7, 2018 Issue appeared to be resolved -- the server appeared to be secured. I indicated that I'd like to write about this report. No reply was received.
December 16, 2018 I observed the ElasticSearch server, Kibana web interface, and InfluxDB admin page were again publicly accessible.
December 16, 2018 Follow up email sent to India's CERT team to report that the server was no longer secured.
December 21, 2018 Asked a contact for assistance with resolving this issue.
December 22, 2018 CERT team confirmed the server (ElasticSearch, Kibana, and InfluxDB) had been secured.

What was found:

A server running ElasticSearch, Kibana, and InfluxDB, and other services was discovered. This server was improperly secured, and authentication was not enabled for these 3 services. As such, a great deal of information was readily available to anyone who connected to the server in question on the correct port number.

The open ElasticSearch server:

open ElasticSearch

Multiple indices were publicly accessible. These indices correspond to what are effectively different data sets. The count of documents per index varied significantly -- ranging from 0 documents to 424 million documents.


The "gps_" indices contained real time GPS information for a variety of agencies (more on that below). This appeared to be the near real time location of various buses (or trains) throughout India.

Example bus GPS data

This GPS information could then be easily mapped to show the location of the roughly 11k unique buses being tracked by this ElasticSearch server (red dots equal more data points):

Map bus GPS data for 24 hours

The breakdown of these GPS data points by agency shows the following pattern over a 24 hour period of time:

GPS data by agency for 24 hours

The highest volume of GPS data points (by a lot) comes from Joint Council of Bus Syndicate (JCBS), which is one of the largest public transport bus unions of West Bengal.

The "dispatch_" indices contained what appeared to be information regarding riders of buses (or trains in the case of KMRL) using those various agencies.

Who are these agencies?

Acronym Agency Interested info
ACTSL Allahabad City Transport Services Limited --
AICTSL Atal Indore City Transport Services Limited --

AMCTSL Agra-Mathura City Transport Services Limited --

BCLL Bhopal City Link Limited --
BMTC Bangalore Metropolitan Transport Corporation --
BSRTC Bihar State Road Transport Corporation --
C-TYPE Could not locate anything conclusive
CSTC Calcutta State Transport Corporation --
CTU Chandigarh Transport Undertaking --
DTC Delhi Transport Corporation --
HOHO Hop On Hop Off Sightseeing Bus Service, Govt. of Delhi --
IBUS Indore Bus Rapid Transit System --
JCBS Joint Council of Bus Syndicate
JCTSL Jaipur City Transport Services Limited --
KCTSL Kanpur City Transport Services Limited --

KMRL Kochi Metro Rail Limited --
KP Could not locate anything conclusive
LCTSL Lucknow City Transport Services Limited --
LNT Lukshmi Narayan Travels
MCTSL Meerut City Transport Services Limited --
MINIBUS Could not locate anything conclusive
NMPL Nagpur Mahanagar Parivahan Limited --
TMT Thane Municipal Transport --

UCTSL Ujjain City Transport Services Limited
UPSRTC Uttar Pradesh State Road Transport Corporation --

-- "UPSRTC carries over 523 million passengers annually"
VVMT Vasai Virar Municipal Transport --


In some cases the username value used by the agency appeared to be the rider's full name:

aictsl - username is a name

For some other agencies it appears the username seemed to be user-configured value, but in those cases the user's email address was also exposed:


Baseds on the userId or the email address value it would be possible to get a reasonable idea of where an individual rider had traveled, and when:



I find data leaks, and then write about them here.