Security researcher Seyfullah Kiliç has discovered over 1,300 publicly accessible TeslaMate servers, exposing sensitive data about Tesla vehicles and their owners, highlighting a significant security risk.
TeslaMate is an open-source data logger that allows Tesla owners to self-host and visualize their vehicle’s data, including temperature, battery health, charging sessions, vehicle speed, and location data. Kiliç’s research involved scanning the internet for publicly exposed TeslaMate dashboards and scraping vehicle data, such as the last-seen location and Tesla model, which he then visualized on a map. This data is typically stored on user-controlled servers, but in these cases, the servers were likely made public unintentionally, allowing anyone to access the stored Tesla data without requiring a password.
“You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world,” Kiliç stated in a blog post, highlighting the potential privacy risks associated with the exposed data. The exposed information could potentially be used to track the vehicle’s movements, identify the owner’s habits, and even compromise their personal safety.
Kiliç aims to raise awareness of the number of exposed servers and encourage TeslaMate users to secure their dashboards. “The goal was to show Tesla owners and the open source community that without basic [authentication] or firewall rules, sensitive data (GPS, charging, trips) can be leaked,” he explained. By making the public aware of this issue, Kiliç hopes to prompt users to take necessary precautions to protect their data.
The issue of exposed TeslaMate dashboards is not new. In 2022, a security researcher found dozens of such dashboards. However, Kiliç’s recent findings indicate a significant increase in the number of exposed servers over the past three years. This trend suggests that despite previous warnings, many TeslaMate users remain unaware of the risks associated with leaving their servers unsecured.
In 2022, TeslaMate’s founder, Adrian Kumpf, addressed the issue, stating that a bug fix was implemented to prevent public access to customer dashboards. He also cautioned that the project could not prevent users from accidentally exposing their servers to the internet. Kiliç advises TeslaMate users to enable authentication on their servers to prevent unauthorized access. “If you plan to run TeslaMate on a public-facing server, you must secure it,” Kiliç emphasized, stressing the importance of taking proactive measures to protect sensitive data.
