- A security researcher discovered over 1,300 publicly accessible TeslaMate dashboards.
- The unsecured dashboards can disclose the location of Tesla vehicles.
- Without even a simple username and password protection layer, the researcher could alter the app’s settings remotely.
Over 1,300 publicly accessible TeslaMate dashboards were discovered by Seyfullah Kiliç, founder of cybersecurity company SwordSec, by scanning the internet with simple tools to expose instances that were not secured, either with a password or behind a firewall or a virtual private network VPN).
TeslaMate is an open-source data logger and visualizer for Tesla electric vehicles, which allows owners to run a server and keep tabs on charging sessions, temperatures, battery health, driving speed, location history and much more. It’s great for enthusiasts because it’s free, but there’s a potential for information leaks if the server is hosted on the internet without any protection.
A map of Tesla vehicles linked to unsecured TeslaMate dashboards in North America.
Photo by: SwordSec
As reported by TechCrunch, Kiliç wrote in a blog post that he was able to access everything on the discovered TeslaMate instances, including the location of the vehicles, which allowed him to build a map of cars that are running potentially compromised TeslaMate installations. And because the servers were not protected in any way, he could also change settings for data collection, just like the owner would.
“For everyday Tesla owners deploying TeslaMate, this is dangerous,” the researcher wrote. “You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world.”
More Stuff Like This
So, what can be done to limit this sort of leak? The TeslaMate server must be secured, according to Seyfullah Kiliç, either by enabling basic username and password authentication, limiting access to trusted IP addresses, or binding the service to the local host and exposing it only through a VPN.
“If you’re a Tesla owner using TeslaMate, do yourself a favor: secure it today,” Kiliç said. “If you’re a developer building similar projects, take note: authentication and access control aren’t optional–they’re essential.”
The researcher told TechCrunch that he made his findings public to raise awareness of the number of exposed servers, adding that while this is not a new problem, the number of exposed TeslaMate dashboards has increased significantly since 2022. Back then, another security researcher found dozens of publicly available TeslaMate dashboards. Now, that number has shot up to over a thousand.