Security Researcher Maps Hundreds Of Teslamate Servers Spilling Tesla Vehicle Data

A information interrogator has recovered complete a 1000 publically exposed hobby servers tally by Tesla conveyance owners that are spilling delicate information astir their vehicles, including their granular location histories.

Seyfullah Kiliç, laminitis of cybersecurity institution SwordSec, said he recovered complete 1,300 internet-exposed TeslaMate dashboards connected nan internet, apt made nationalist by mistake, allowing anyone to entree nan person’s Tesla information stored wrong without needing a password.

TeslaMate is an open-source information logger that allows Tesla owners to self-host and visualize their vehicle’s data from their ain computers, specified arsenic their vehicle’s temperature, artillery health, and charging sessions, but besides much delicate information, for illustration conveyance velocity and nan location information of caller trips. 

In a blog post, Kiliç said he scanned nan net for public-facing TeslaMate dashboards and scraped nan vehicle’s last-seen location and Tesla exemplary names, and visualized nan vehicles connected a representation to show their locations. 

“You’re unintentionally sharing your car’s movements, charging habits, and moreover picnic times pinch nan full world,” wrote Kiliç.

Kiliç told TechCrunch that this was to raise consciousness of nan number of exposed servers, and urged TeslaMate users to unafraid their dashboards.

“The extremity was to show Tesla owners and nan open-source organization that without basal [authentication] aliases firewall rules, delicate information (GPS, charging, trips) tin beryllium leaked,” said Kiliç.

While not a caller problem, Kiliç shows that nan number of exposed TeslaMate dashboards has gone up importantly since nan past count backmost successful 2022, erstwhile a information interrogator astatine nan clip found dozens of nationalist TeslaMate dashboards exposed to nan web. 

Now, much than 3 years later, different information interrogator has recovered much than a 1000 self-hosted TeslaMate servers connected nan web and mapped them, showing that nan problem has seemingly gotten worse.

TeslaMate’s laminitis Adrian Kumpf, told TechCrunch successful 2022 that a bug hole was rolled retired that aimed to protect against nationalist entree to customers’ dashboards, but warned that nan task could not protect against users accidentally exposing their TeslaMate servers to nan internet. 

Kiliç said TeslaMate users should alteration authentication connected their servers to forestall nationalist access.

“If you scheme to tally TeslaMate connected a public-facing server, you must unafraid it,” wrote Kiliç.