Redazione RHC : 18 August 2025 19:57
A cybersecurity researcher has discovered that hundreds of TeslaMate servers around the world are openly transmitting Tesla vehicle data without any protection. This means that car telemetry—from precise coordinates and routes to owner habits and even charging schedules—has been exposed to the public.
TeslaMate is a popular open-source tool that connects to the official Tesla API and collects detailed information about the car. The system records GPS data, battery status, trip history, cabin temperature readings, and other parameters. To display statistics, a combination of a web interface on port 4000 and a Grafana panel on port 3000 is used. However, by default, the application does not require authentication and is automatically connected to all network interfaces. If launched on a server with a public IP, all information is available to any user on the network.
Using a global scan of IPv4 addresses on open port 4000, the researcher identified approximately 900 such installations across several continents. As a result, outsiders had access to the owners’ exact routes, the coordinates of parked cars, residential addresses, and data related to their absence from their usual locations.
Thanks to the collected data, it was possible to paint a complete picture of the owners’ daily lives and even identify vacation periods. What is particularly alarming is that, thanks to this data, criminals can plan thefts or break-ins in advance, knowing when the owners are away.
To demonstrate the extent of the problem, the researcher launched the website teslamap.io, which maps all cars found connected to unprotected TeslaMate servers. In some regions, particularly metropolitan areas in North America, Europe, and Asia, these cluster, containing numerous unprotected installations.
Experts recommend taking immediate protective measures. At a minimum, use a password-protected reverse proxy (e.g., Nginx), restrict access to localhost only, set appropriate firewall rules, change the default Grafana credentials, and, if possible, block access to the dashboard via VPN.
The TeslaMate developers have confirmed the issue and promised to introduce built-in authentication “by default” in future versions. However, while hundreds of installations continue to operate unprotected, confidential car data remains publicly available. This highlights the relevance of the data leak problem in today’s world.
Redazione