Security researchers have discovered over 1,000 public hobby servers run by Tesla vehicle owners, spilling sensitive data about vehicles, including granular location history.
Seyfullah Kiliç, founder of cybersecurity firm SwerdSec, discovered more than 1,300 internet exposed Teslamate dashboards on the internet and said it is likely that they can access Tesla data from people who have been mistakenly published and stored inside without the need for a password.
Teslamate is an open source data logger that allows Tesla owners to self-host and visualize vehicle data from the vehicle’s computer, including vehicle temperature, battery health, charging sessions, and more, vehicle speed and location data from recent travel.
In a blog post, Kiriso scanned the internet for a published Teslamate dashboard, rubbing the locations that were seen at the end of the vehicle and the Tesla model name, visualizing the vehicle on the map to show the locations.
“You unintentionally share your car’s movements, charging habits, and even holiday times with the whole world,” Kiriso writes.
Kiliç told TechCrunch that this was to raise awareness of the number of exposed servers, urging Teslamate users to secure a dashboard.
“The goal was to show that Tesla owners and the open source community had no basics. [authentication] Or you can leak firewall rules, sensitive data (GPS, charging, travel),” Kiriso said.
Although not a new issue, Kiriso shows that the number of exposed Teslamate dashboards has increased significantly since the last count in 2022, when security researchers at the time discovered dozens of public Teslamate dashboards were exposed to the web.
Now, more than three years later, another security researcher has discovered over 1,000 self-hosted Teslamate servers on the web and mapped them, indicating that the problem appears to be getting worse.
Teslamate founder Adrian Kumpf told TechCrunch in 2022 that a bug fix was deployed aimed at protecting customers from public access to dashboards, but the project warned that users could not accidentally expose them to the internet.
Kiliç said Teslamate users should enable server authentication to prevent public access.
“If you plan to run Teslamate on a public server, you need to ensure that,” Kiriso writes.
Source link
