A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories.
Seyfullah Kiliç, founder of cybersecurity company SwordSec, said he found over 1,300 internet-exposed TeslaMate dashboards on the internet, likely made public by mistake, allowing anyone to access the person’s Tesla data stored inside without needing a password.
TeslaMate is an open-source data logger that allows Tesla owners to self-host and visualize their vehicle’s data from their own computers, such as their vehicle’s temperature, battery health, and charging sessions, but also more sensitive information, like vehicle speed and the location data of recent trips.
In a blog post, Kiliç said he scanned the internet for public-facing TeslaMate dashboards and scraped the vehicle’s last-seen location and Tesla model names, and visualized the vehicles on a map to show their locations.
“You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world,”wrote Kiliç.
Kiliç told TechCrunch that this was to raise awareness of the number of exposed servers, and urged TeslaMate users to secure their dashboards.
“The goal was to show Tesla owners and the open-source community that without basic [authentication] or firewall rules, sensitive data (GPS, charging, trips) can be leaked,”said Kiliç.
While not a new problem, Kiliç shows that the number of exposed TeslaMate dashboards has gone up significantly since the last count back in 2022, when a security researcher at the time found dozens of public TeslaMate dashboards exposed to the web.
Now, more than three years later, another security researcher has found more than a thousand self-hosted TeslaMate servers on the web and mapped them, showing that the problem has seemingly gotten worse.
TeslaMate’s founder Adrian Kumpf, told TechCrunch in 2022 that a bug fix was rolled out that aimed to protect against public access to customers’dashboards, but warned that the project could not protect against users accidentally exposing their TeslaMate servers to the internet.
Kiliç said TeslaMate users should enable authentication on their servers to prevent public access.
“If you plan to run TeslaMate on a public-facing server, you must secure it,”wrote Kiliç.
