Hundreds of TeslaMate Installations Leak Sensitive Car Data in Real Time

A cybersecurity researcher has discovered hundreds of open TeslaMate installations that expose GPS coordinates, trip history, and charging data of Tesla electric cars to anyone on the internet without authentication. The leak was made possible by incorrect settings in the popular open-source logger TeslaMate, which collects telemetry directly from the official Tesla API. By default, the application does not have built-in authentication, and if it is run on a public server with an open port 4000, the data becomes available to anyone.

Researcher Seyfullah Kilic performed a full IPv4 scan using masscan on high-speed servers to find open ports 4000. He then used httpx to select genuine TeslaMate instances based on characteristic HTTP responses.

The results revealed hundreds of vulnerable installations that openly broadcast real-time data about car models, software versions, driving routes, timestamps of charging sessions, and even detailed trip history. For clarity, the website teslamap.io was created, which demonstrates the geographical location of vulnerable cars.

TeslaMate is a popular open-source tool that allows Tesla owners to keep advanced statistics on trips, energy consumption, and battery health. Its integration with Grafana allows you to build visual dashboards. However, as practice has shown, many users leave servers open, without password or firewall protection, which creates serious privacy risks. Similar problems often arise in the field of IoT applications, where developers pay more attention to functionality than security. Automotive data is especially critical, as it can reveal the home addresses, routes, workplaces, and habits of owners.

Experts emphasize: Tesla owners using TeslaMate should immediately implement authentication via Nginx, restrict access using a firewall, bind services to local interfaces, or use a VPN. This case once again emphasizes that secure deployment of IoT solutions should be a priority, because even convenient tools can become a source of large-scale leaks of private data.