Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data

A cybersecurity expert has uncovered a troubling discovery: over a thousand TeslaMate servers, operated by Tesla enthusiasts, are inadvertently exposing sensitive vehicle data online. Seyfullah Kiliç, the founder of SwordSec, reported finding more than 1,300 publicly accessible TeslaMate dashboards, likely due to user oversight, which allows anyone to access critical personal information without any password protection. TeslaMate serves as an open-source data logger that enables Tesla owners to visualize and manage their vehicle's statistics from their own computers. This includes not just technical details like battery health and charging sessions, but also sensitive data such as vehicle speeds and detailed location histories of recent trips. In a recent blog post, Kiliç described how he scanned the internet for these publicly accessible dashboards, retrieving information about the last known locations of vehicles and their model names, and plotted them on a map. Kiliç emphasized the risks involved, stating, "You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world." He shared his findings with TechCrunch to highlight the growing number of exposed servers and urged TeslaMate users to take steps to secure their dashboards. The situation, although not entirely new, has worsened significantly since a previous assessment in 2022, which identified only a handful of public TeslaMate dashboards. Now, more than three years later, Kiliç's research indicates a substantial increase in the number of self-hosted TeslaMate servers that are vulnerable to public access. Adrian Kumpf, TeslaMate’s founder, had previously informed TechCrunch about a bug fix aimed at minimizing public access to dashboards. However, he cautioned that the platform could not prevent users from unintentionally exposing their servers online. Kiliç reiterated the importance of enabling authentication for TeslaMate servers, advising, "If you plan to run TeslaMate on a public-facing server, you must secure it."