"Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk"
According to security researchers at Redinent, misconfigured TeslaMate instances can leak tons of data on the internet, potentially exposing Tesla cars and their drivers to malicious attacks. TeslaMate is a third-party data logging application that relies on the Tesla API to retrieve various types of information about Tesla cars, making it available to users on their computers. The researchers noted that while the application is a great tool for keeping track of car data, it also poses a significant risk if improperly configured. The researchers stated that various types of information about the application can be found online by searching for images with the "teslamate configure" tags, but attackers can also use specialized search engines and specific queries to identify misconfigured TeslaMate instances and access information without authorization. Using Censys' search service, the researchers have identified more than 1,400 misconfigured instances that allow access without authentication. The researchers noted that an attacker could perform this operation to access a car's live location, check whether the vehicle is locked and whether the driver is present, and even make an online car go to sleep. The researchers stated that the issue is that users often do not configure this third-party software correctly, which leads to privacy breaches and other types of risks by allowing unauthorized access to Tesla car data. Furthermore, an attacker could "set virtual boundaries around the car and receive alerts, potentially compromising the owner's daily routine and posing risks like planned robberies or other malicious activities." The researchers have reported the vulnerability to TeslaMate.
SecurityWeek reports: "Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk"