SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk

Attackers can find tons of information on Tesla cars and their drivers by searching for misconfigured TeslaMate instances online.
Tesla hack

Misconfigured TeslaMate instances can leak tons of data on the internet, potentially exposing Tesla cars and their drivers to malicious attacks, IoT security intelligence firm Redinent reports.

A third-party data logging application, TeslaMate relies on the Tesla API to retrieve various types of information about Tesla cars, making it available to users on their computers.

While the application is a great tool for keeping track of car data, it also poses a significant risk if improperly configured, Redinent has discovered.

Various types of information about the application can be found online by searching for images with the ‘teslamate configure’ tags, but attackers can also use specialized search engines and specific queries to identify misconfigured TeslaMate instances and access information without authorization.

Using Censys’ search service, Redinent has identified more than 1,400 misconfigured instances that allow access without authentication.

An attacker could perform this operation to access a car’s live location, check whether the vehicle is locked and whether the driver is present, and even make an online car go to sleep, the security firm says.

The issue, Redinent notes, is that users often do not configure this third-party software correctly, which leads to privacy breaches and other types of risks by allowing unauthorized access to Tesla car data.

Furthermore, an attacker could “set virtual boundaries around the car and receive alerts, potentially compromising the owner’s daily routine and posing risks like planned robberies or other malicious activities,” Redinent notes.

Advertisement. Scroll to continue reading.

Responding to a SecurityWeek inquiry, Redinent security researcher Souvik Kandar said the vulnerability has been reported to TeslaMate.

“But the vulnerability arises due to misconfiguration on the user’s end. Teslamate is not at fault here,” Kandar said.

Related: Tesla Discloses Data Breach Related to Whistleblower Leak

Related: Tesla Sued Over Workers’ Alleged Access to Car Video Imagery

Related: Tesla Retail Tool Vulnerability Led to Account Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

CIEM Chat: How to Reduce Cloud Identity Risk
March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

Virtual Event: Ransomware Resilience & Recovery Summit
April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Mike Dube has joined cloud security company Aqua Security as CRO.

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

More People On The Move

Expert Insights

Related Content

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

January 5, 2023
Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

IoT Security

Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

February 9, 2023
Car vulnerability analysis Car vulnerability analysis

IoT Security

Thieves Use CAN Injection Hack to Steal Cars

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

April 6, 2023
Smart City Cybersecurity Smart City Cybersecurity

ICS/OT

Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick?

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.

August 23, 2023
Critical Vulnerability Impacts Over 120 Lexmark Printers

IoT Security

Critical Vulnerability Impacts Over 120 Lexmark Printers

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

January 27, 2023
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data

IoT Security

Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

April 13, 2023
Tesla hack Tesla hack

IoT Security

Tesla Hacked Twice at Pwn2Own Exploit Contest

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

March 24, 2023
IoT Security Company Shield-IoT Raises $7.4 Million

Cybersecurity Funding

IoT Security Company Shield-IoT Raises $7.4 Million

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

November 24, 2021