Carefree Tesla drivers: TeslaMate installations openly on the network
Anyone who drives a Tesla can collect and process operating data with third-party tools such as TeslaMate. Hundreds of instances are available online.
(Image: heise medien/Christoph M. Schwarzer)
Anyone who drives a Tesla can collect and analyze extensive data from the vehicle. This is possible with the open source project TeslaMate, for example. An IT researcher has now found hundreds of open instances on the internet that reveal this data to the public.
The lack of access protection came to the attention of Seyfullah Kılıç, who reported on it in a blog post. The open-source tool TeslaMate is available for download on Github. It allows you to collect data from your vehicle and stores it in a Postgres database. The data can be visualized and analyzed with Grafana and distributed to local MQTT brokers. This enables processing, for example with Home Assistant.
The data that TeslaMate manages includes journey data with automatic address look-up, charge level and battery status. The project also lists various standard dashboards on Github for other data that can be viewed.
Self-hosting without access protection
The problem that Kılıç encountered lies in TeslaMate's self-hosting. The software does not include access protection by default and allows all access to the data. This allows unauthorized individuals to view the location, for example, which can be used to determine whether a Tesla is at home or in the office. However, this is very useful for attackers such as burglars.
By default, TeslaMate provides a web interface on port 4000 and a Grafana dashboard on port 3000. This apparently tempts users to host instances on cloud servers or to pass domestic installations through to the internet. By searching for open TCP ports 4000 and querying TeslaMate's standard HTTP title over the Internet, the IT security researcher came across hundreds of open instances that reveal this rather personal information to the world.
Videos by heise
Based on this, he programmed a crawler that analyzes the exact GPS data of the monitored Teslas, their model names, software version and update history as well as timestamps of trips and charging sessions. By evaluating daily habits on a map, it was able to recognize home addresses and frequently visited places. Kılıç publishes his evaluations on a map at the URL teslamap.io. Several vehicles in Germany, Austria and Switzerland are also under TeslaMate observation.
The problem is the lack of access protection. The service should not be publicly accessible on the network, but should at least be on a LAN that can only be accessed via VPN. The IT researcher also suggests setting up a reverse proxy with nginx, which at least retrofits Basic Auth –, i.e. a log-in query of username and password –.
(dmk)
