Share this article on:
An unsecured open-source app is leaving a mountain of data open to anyone looking for it.
A security researcher has described in detail how they were able to access tracking and efficiency data of more than 1,000 Tesla motor vehicles, thanks to an open-source app that many users have not properly secured.
The researcher – who is currently a security intern at Cisco – wrote the post independently and contacted Tesla over the issue, only to be told that as it is not a Tesla app, there is little the company can do about the issue.
The security researcher was able to take advantage of a third-party track app called TeslaMate. The app is self-hosted, meaning all data stays with the user, making it particularly secure.
“Unlike some third-party services that might store your data on their servers, with TeslaMate, you have full control,” the researcher said in a blog post.
However, while the data is, in theory, secure, the app needs to be set up with proper authentication to keep it that way. The researcher used an internet intelligence tool to search for instances of the app running without authentication being set up and was alarmed at what the app would let them do.
After some time with the app’s documentation, the researcher discovered that they would be able to track a car’s location, and if a driver is in the vehicle, check if the car is locked or in sentry mode, and even put the car to sleep. The extensive data that the app tracks – charge efficiency, trip data, and more – was also presumably available, but the researcher feared that accessing that could well be a legal grey area, even if the app was technically open to the internet.
The researcher strongly recommends that Tesla owners using TeslaMate enable authentication, disable port forwarding, and contact service providers such as Shodan and Censys to request any instances of their unauthenticated app removed from their indexes.
However, when the researcher informed Tesla of the issue, wondering if the company could send push notifications to its users warning them of the issue, Tesla effectively said its hands were tied.
“I was able to find some online TeslaMate dashboards using the technique you described,” a Tesla spokesperson said in reply.
“I’ll leave the ticket as N/A as there isn’t anything we can do to prevent people from deliberately exposing their car data to the internet using third-party software.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.