A security scientist has found over a thousand publicly vulnerable hobby servers driven by Tesla vehicle owners wasting sensitive data about their vehicles, including their granular location history.
Seyfullah Kiliç, founder of CyberSecurity Company Swordsec, said he found over 1,300 Internet-exposed teslamate dashboards on the Internet, probably published by mistake, giving any opportunity to access the person’s Tesla data stored inside without needing a password.
Teslamate is an open source datager that allows Tesla owners to host and visualize their vehicle’s data from their own computers, such as their vehicle temperature, battery health and charging sessions, but also more sensitive information, such as the vehicle’s speed and the location data for recent trips.
In a blog post, Kiliç said he scanned the Internet for publicly wagered teslamate dashboards and scraped the vehicle’s last viewed location and Tesla model names and visualized vehicles on a map to show their locations.
“You accidentally share your car’s movements, charge habits and even holiday times with the whole world,” Kiliç wrote.
Kiliç told Techcrunch that this was to raise awareness of the number of vulnerable servers and called on Teslamate users to secure their dashboards.
“The goal was to show Tesla owners and Open Source Society that without basic [authentication] Or firewall rules, sensitive data (GPS, charging, trips) can be leaked, ”Kiliç said.
Although this is not a new problem, Kiliç shows that the number of vulnerable teslamate -dashboards has risen significantly since the last count back in 2022, when a security scientist at that time found dozens of public teslamate -dashboards exposed to the Internet.
Now, more than three years later, another security scientist has found more than a thousand self-hosted teslamate servers online and mapped them, which shows the problem has apparently gotten worse.
Teslamate’s founder Adrian Kumpf told TechCrunch in 2022 that a flaws were rolled out that aimed to protect against public access to customers’ dashboards, but warned that the project could not protect against users accidentally postponing their teslamate servers to the Internet.
Kiliç said Teslamate users should enable approval on their servers to prevent public access.
“If you are planning to run teslamate on a publicly facing server, secure it,” Kiliç wrote.