Over 1,300 publicly exposed TeslaMate dashboards, run by Tesla owners, have been identified by a security researcher, revealing sensitive vehicle data. Seyfullah Kiliç, founder of SwordSec, discovered these dashboards, accessible without a password, likely due to misconfiguration.
TeslaMate, an open-source data logger, enables Tesla owners to host and visualize their vehicle’s data. This includes temperature, battery health, charging sessions, vehicle speed, and location data from recent trips. Users self-host this data on their own computers.
Kiliç detailed his findings in a blog post, explaining that he scanned the internet for publicly accessible TeslaMate dashboards. He then scraped the vehicle’s last-seen location and Tesla model names, visualizing the data on a map to illustrate the exposure. Kiliç stated, “You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world.”
Speaking with TechCrunch, Kiliç emphasized that his aim was to raise awareness among Tesla owners and the open-source community regarding the number of exposed servers. He urged users to secure their dashboards. Kiliç stated, “The goal was to show Tesla owners and the open source community that without basic [authentication] or firewall rules, sensitive data (GPS, charging, trips) can be leaked.”
While the issue of exposed TeslaMate dashboards is not new, Kiliç’s research indicates a significant increase in the number of exposed servers since 2022. At that time, another security researcher found dozens of public TeslaMate dashboards. The current count of over a thousand suggests the problem has worsened.
In 2022, TeslaMate’s founder, Adrian Kumpf, informed TechCrunch that a bug fix had been implemented to mitigate public access to dashboards. He cautioned, however, that TeslaMate could not prevent users from accidentally exposing their servers to the internet. Kumpf then warned that TeslaMate could not protect against users accidentally exposing their servers.
Kiliç advises TeslaMate users to enable authentication on their servers to prevent unauthorized public access. He emphasized the importance of security, stating, “If you plan to run TeslaMate on a public-facing server, you must secure it.”
