Over 1,300 self-hosted TeslaMate servers are currently leaking sensitive vehicle data, including granular location histories and charging habits, due to improper security configurations. Cybersecurity researcher Seyfullah Kiliç, founder of SwordSec, discovered these publicly exposed dashboards, which allow anyone with an internet connection to access private Tesla telemetry without a password.
The Privacy Risk: What Data Is Exposed?
TeslaMate is a popular open-source data logger that lets owners self-host and visualize their vehicle’s data. While intended for personal monitoring—tracking battery health, charging sessions, and interior temperatures—the software also logs highly sensitive information, such as precise vehicle speed and detailed GPS coordinates of recent trips.
In a recent technical analysis, Kiliç demonstrated the severity of the flaw by scanning the internet for exposed dashboards. By scraping the last-seen locations and vehicle models, he was able to plot these cars on a map, proving that owners are unintentionally broadcasting their movements, vacation schedules, and daily routines to the public.
A Growing Security Crisis for Tesla Owners
The scale of the exposure has grown significantly. While a similar security audit in 2022 identified only dozens of vulnerable instances, the current count exceeds 1,300 servers. This indicates that despite awareness of the issue, the number of misconfigured, internet-facing servers has surged over the past three years.
“The goal was to show Tesla owners and the open-source community that without basic authentication or firewall rules, sensitive data like GPS, charging logs, and trip history can be leaked,” Kiliç stated. The researcher emphasized that this is not necessarily a flaw in the TeslaMate software itself, but rather a failure in how users deploy and secure their self-hosted instances.
How to Protect Your Tesla Data
Addressing the issue requires immediate action from users who host their own TeslaMate instances. Adrian Kumpf, the creator of TeslaMate, previously noted that while the project includes protections, it cannot prevent users from accidentally opening their servers to the public web.
To mitigate this risk, security experts provide a clear directive: if you are running TeslaMate, you must enable robust authentication and ensure your server is not accessible via a public IP address without proper firewall restrictions. Securing the dashboard is the only way to prevent unauthorized parties from tracking your vehicle’s movements in real time.