Security researcher Seyfullah Kiliç has discovered over 1,300 publicly accessible TeslaMate servers, exposing sensitive data about Tesla vehicles and their owners. Kiliç, founder of cybersecurity company SwordSec, revealed that these servers, likely made public unintentionally, allow anyone to access stored Tesla data without requiring a password.
TeslaMate is an open-source data logger that enables Tesla owners to self-host and visualize their vehicle’s data, including temperature, battery health, charging sessions, vehicle speed, and location data. Kiliç’s research involved scanning the internet for publicly exposed TeslaMate dashboards and scraping vehicle data, such as the last-seen location and Tesla model, which he then visualized on a map.
“You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world,” Kiliç stated in a blog post, highlighting the potential privacy risks.
Kiliç aims to raise awareness of the number of exposed servers and encourage TeslaMate users to secure their dashboards. “The goal was to show Tesla owners and the open source community that without basic [authentication] or firewall rules, sensitive data (GPS, charging, trips) can be leaked,” he explained.
The issue of exposed TeslaMate dashboards is not new. In 2022, a security researcher found dozens of such dashboards. However, Kiliç’s recent findings indicate a significant increase in the number of exposed servers over the past three years.
In 2022, TeslaMate’s founder, Adrian Kumpf, addressed the issue, stating that a bug fix was implemented to prevent public access to customer dashboards. He also cautioned that the project could not prevent users from accidentally exposing their servers to the internet. Kiliç advises TeslaMate users to enable authentication on their servers to prevent unauthorized access. “If you plan to run TeslaMate on a public-facing server, you must secure it,” Kiliç emphasized.
