A security researcher has discovered over a thousand publicly exposed hobby servers run by Tesla vehicle owners. These servers are spilling sensitive data about their vehicles, including detailed location histories.
Seyfullah Kiliç, founder of the cybersecurity company SwordSec, stated he found more than 1,300 internet-exposed TeslaMate dashboards. These dashboards were likely made public by mistake, allowing anyone to access the owner’s stored Tesla data without needing a password.
TeslaMate is an open source data logger that enables Tesla owners to self-host and visualize their vehicle’s data from their own computers. This data includes vehicle temperature, battery health, and charging sessions. It also includes more sensitive information, such as vehicle speed and the location data of recent trips.
In a blog post, Kiliç explained that he scanned the internet for public-facing TeslaMate dashboards. He scraped each vehicle’s last-seen location and Tesla model names, then visualized all the vehicles on a map to show their locations. He noted that owners are unintentionally sharing their car’s movements, charging habits, and even vacation times with the entire world.
Kiliç told TechCrunch his goal was to raise awareness about the number of exposed servers. He urged TeslaMate users to properly secure their dashboards, stating the purpose was to show owners and the open source community that without basic authentication or firewall rules, sensitive GPS, charging, and trip data can be leaked.
This is not a new problem. However, Kiliç’s discovery shows the number of exposed TeslaMate dashboards has risen significantly since the last count in 2022. At that time, a security researcher found dozens of public dashboards exposed to the web. Now, more than three years later, another researcher has found and mapped over a thousand self-hosted servers, indicating the problem has seemingly gotten worse.
TeslaMate’s founder, Adrian Kumpf, told TechCrunch in 2022 that a bug fix was rolled out to protect against public access to customer dashboards. He also warned that the project could not protect users from accidentally exposing their own servers to the internet. Kiliç advises that TeslaMate users must enable authentication on their servers to prevent public access, emphasizing that if you run TeslaMate on a public-facing server, you must secure it.