In a startling revelation, a security researcher has uncovered a significant number of publicly accessible servers operated by Tesla vehicle enthusiasts, inadvertently leaking sensitive information about their cars, including detailed location histories. This discovery raises serious concerns about data privacy and security among Tesla owners.
Seyfullah Kiliç, the founder of a cybersecurity firm, reported that he identified over 1,300 TeslaMate dashboards exposed on the internet, likely due to unintentional misconfigurations. These dashboards allow anyone to access personal Tesla data without any password protection, posing a serious risk to user privacy.
TeslaMate serves as an open-source data logging tool that enables Tesla owners to host and visualize their vehicle data on personal computers. This includes various metrics such as battery health, temperature, and charging sessions, alongside more sensitive details like vehicle speed and location data from recent trips.
In a detailed blog post, Kiliç explained how he scanned the internet for publicly accessible TeslaMate dashboards, extracting information about the last known locations and model names of the vehicles. He then visualized this data on a map, effectively showcasing the geographical spread of these exposed vehicles.
“By doing this, you are unintentionally broadcasting your car’s movements, charging patterns, and even your travel schedules to the public,” Kiliç emphasized.
In an interview, Kiliç expressed his intention to raise awareness about the prevalence of these exposed servers and urged TeslaMate users to take necessary precautions to secure their dashboards.
“The aim was to inform Tesla owners and the open-source community that without basic authentication measures or firewall configurations, sensitive data such as GPS coordinates, charging habits, and trip details can be easily compromised,” Kiliç stated.
While this issue is not entirely new, Kiliç’s findings indicate a troubling increase in the number of exposed TeslaMate dashboards since a previous investigation in 2022, which revealed dozens of similar vulnerabilities.
Now, more than three years later, the situation appears to have worsened, with another researcher identifying over a thousand self-hosted TeslaMate servers that are publicly accessible.
The founder of TeslaMate, Adrian Kumpf, previously acknowledged in 2022 that a bug fix was implemented to enhance protection against unauthorized public access to user dashboards. However, he cautioned that the project could not prevent users from inadvertently exposing their TeslaMate servers online.
Kiliç strongly advises TeslaMate users to enable authentication on their servers to mitigate the risk of public access.
“If you intend to operate TeslaMate on a server that is accessible to the public, securing it is imperative,” Kiliç concluded.