Misconfigured TeslaMate instances can leak tons of data on the internet, potentially exposing Tesla cars and their drivers to malicious attacks, IoT security intelligence firm Redinent reports.
A third-party data logging application, TeslaMate relies on the Tesla API to retrieve various types of information about Tesla cars, making it available to users on their computers.
While the application is a great tool for keeping track of car data, it also poses a significant risk if improperly configured, Redinent has discovered.
Various types of information about the application can be found online by searching for images with the ‘teslamate configure’ tags, but attackers can also use specialized search engines and specific queries to identify misconfigured TeslaMate instances and access information without authorization.
Using Censys’ search service, Redinent has identified more than 1,400 misconfigured instances that allow access without authentication.
An attacker could perform this operation to access a car’s live location, check whether the vehicle is locked and whether the driver is present, and even make an online car go to sleep, the security firm says.
The issue, Redinent notes, is that users often do not configure this third-party software correctly, which leads to privacy breaches and other types of risks by allowing unauthorized access to Tesla car data.
Furthermore, an attacker could “set virtual boundaries around the car and receive alerts, potentially compromising the owner’s daily routine and posing risks like planned robberies or other malicious activities,” Redinent notes.
Responding to a SecurityWeek inquiry, Redinent security researcher Souvik Kandar said the vulnerability has been reported to TeslaMate.
“But the vulnerability arises due to misconfiguration on the user’s end. Teslamate is not at fault here,” Kandar said.
Related: Tesla Discloses Data Breach Related to Whistleblower Leak
Related: Tesla Sued Over Workers’ Alleged Access to Car Video Imagery
Related: Tesla Retail Tool Vulnerability Led to Account Takeover