SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk

Attackers can find tons of information on Tesla cars and their drivers by searching for misconfigured TeslaMate instances online.
Tesla cars exposed by misconfigured TeslaMate

Misconfigured TeslaMate instances can leak tons of data on the internet, potentially exposing Tesla cars and their drivers to malicious attacks, IoT security intelligence firm Redinent reports.

A third-party data logging application, TeslaMate relies on the Tesla API to retrieve various types of information about Tesla cars, making it available to users on their computers.

While the application is a great tool for keeping track of car data, it also poses a significant risk if improperly configured, Redinent has discovered.

Various types of information about the application can be found online by searching for images with the ‘teslamate configure’ tags, but attackers can also use specialized search engines and specific queries to identify misconfigured TeslaMate instances and access information without authorization.

Using Censys’ search service, Redinent has identified more than 1,400 misconfigured instances that allow access without authentication.

An attacker could perform this operation to access a car’s live location, check whether the vehicle is locked and whether the driver is present, and even make an online car go to sleep, the security firm says.

The issue, Redinent notes, is that users often do not configure this third-party software correctly, which leads to privacy breaches and other types of risks by allowing unauthorized access to Tesla car data.

Furthermore, an attacker could “set virtual boundaries around the car and receive alerts, potentially compromising the owner’s daily routine and posing risks like planned robberies or other malicious activities,” Redinent notes.

Advertisement. Scroll to continue reading.

Responding to a SecurityWeek inquiry, Redinent security researcher Souvik Kandar said the vulnerability has been reported to TeslaMate.

“But the vulnerability arises due to misconfiguration on the user’s end. Teslamate is not at fault here,” Kandar said.

Related: Tesla Discloses Data Breach Related to Whistleblower Leak

Related: Tesla Sued Over Workers’ Alleged Access to Car Video Imagery

Related: Tesla Retail Tool Vulnerability Led to Account Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Cyber AI & Automation Summit
Wednesday, December 6, 2023

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

Virtual Event: Cyber Insurance & Liability Summit
Wednesday, January 17, 2024

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

January 5, 2023
Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

IoT Security

Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

February 9, 2023
Car vulnerability analysis Car vulnerability analysis

IoT Security

Thieves Use CAN Injection Hack to Steal Cars

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

April 6, 2023
Critical Vulnerability Impacts Over 120 Lexmark Printers

IoT Security

Critical Vulnerability Impacts Over 120 Lexmark Printers

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

January 27, 2023
IoT Security Company Shield-IoT Raises $7.4 Million

Cybersecurity Funding

IoT Security Company Shield-IoT Raises $7.4 Million

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

November 24, 2021
Tesla cars exposed by misconfigured TeslaMate Tesla cars exposed by misconfigured TeslaMate

IoT Security

Tesla Hacked Twice at Pwn2Own Exploit Contest

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

March 24, 2023
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data

IoT Security

Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

April 13, 2023
Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking

IoT Security

Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...

December 21, 2022