Over 1,300 self-hosted TeslaMate servers are leaking GPS locations, driving history, and charging habits due to poor security settings
Tesla Owners’ DIY Data Logging Comes at a Risk
Over 1,300 TeslaMate dashboards—used by Tesla owners to self-host vehicle data—are publicly accessible online without passwords, leaking sensitive information like location history, vehicle speed, and charging patterns.
- Discovered by Seyfullah Kiliç, founder of SwordSec, the issue highlights the risks of misconfigured self-hosted tools.
- TeslaMate is an open-source platform designed to let Tesla owners visualize their data locally—but many users are unintentionally exposing their dashboards to the open web.
What’s Being Leaked
The exposed dashboards offer an intimate look at a Tesla’s usage and the owner’s routines:
- Live and historical GPS data of recent trips
- Vehicle speed and battery health
- Charging sessions and timestamped trip logs
- Tesla model identification and last-seen location
Kiliç even mapped these locations to demonstrate how easily an attacker—or curious onlooker—could track someone’s daily patterns or know when they’re away from home.
“You’re Sharing More Than You Realize”
In his blog post, Kiliç warned:
“You’re unintentionally sharing your car’s movements, charging habits, and even vacation times with the entire world.”
He emphasized that his goal wasn’t to exploit the data but to raise awareness and push users to secure their servers properly.
A Problem That’s Only Growing
This isn’t the first time TeslaMate servers have been found exposed online.
- In 2022, another researcher identified dozens of open dashboards.
- Today, that number has skyrocketed to over 1,300, suggesting that more Tesla owners are using TeslaMate but not implementing basic security protections.
Despite a bug fix issued by TeslaMate’s creator Adrian Kumpf in 2022, the project remains vulnerable to user misconfigurations, especially when deployed on public-facing servers.
Why It Matters
The GPS and travel history of a car owner is highly sensitive information. Without authentication, this data could be:
- Used to track routines or home addresses
- Exploited to time break-ins or car theft
- Aggregated for profiling or targeted advertising
- A gateway for broader privacy violations
How TeslaMate Users Can Protect Themselves
Kiliç strongly urges TeslaMate users to secure their dashboards:
- Enable basic authentication
- Set firewall rules to limit access
- Avoid public exposure unless absolutely necessary
- Monitor server configurations regularly
As Kiliç puts it:
“If you plan to run TeslaMate on a public-facing server, you must secure it.”
Who’s Responsible?
While the TeslaMate platform includes disclaimers and security documentation, the onus is still on users to configure their instances safely.
- Open-source tools offer freedom and flexibility, but also require a baseline of technical responsibility.
- TeslaMate’s developer cannot prevent users from exposing their data through misconfigured servers.
This incident is a reminder that DIY tech projects involving sensitive data need to be handled with caution and security awareness.
