Thousands of Exposed TeslaMate Dashboards Leak Vehicle Data

Researcher Finds 1,300+ Public TeslaMate Dashboards

Security researcher Seyfullah Kiliç of SwordSec scanned the internet and found more than 1,300 TeslaMate dashboards that anyone could view without a password. TeslaMate is an open-source telemetry logger many Tesla owners self-host to visualize battery health, charging sessions, cabin temperature — and crucially, fine-grained location and trip histories.

Kiliç scraped last-seen locations and model names, mapped vehicles, and published the results to highlight how widely accessible that sensitive data can be. He emphasized this was likely accidental — a misconfigured server, missing authentication or an open firewall — but the effect is the same: real-world movements, vacation plans and charging patterns exposed to anyone on the web.

This is not new, but the scale has grown. Earlier research in 2022 found only dozens of exposed dashboards; Kiliç's map shows the problem has expanded significantly, underscoring how DIY self-hosting without security basics can create large privacy risks.

Who is at risk and why it matters:

• Individual owners: personal routines, home addresses and vacation windows can be exposed.
• Fleets and small operators: aggregated telemetry can reveal operational patterns and sensitive locations.
• Public safety and privacy: exposed GPS traces are attractive to stalkers, burglars and other malicious actors.

Immediate steps TeslaMate users should take are straightforward and effective. At minimum, enable authentication on the dashboard, run it behind a firewall or VPN, and avoid directly exposing the service to the public internet. Where possible, add an authenticated reverse proxy, IP allowlisting, and ensure default credentials or guest access are disabled.

Longer-term fixes include automated exposure scanning, deployment templates that bake in auth by default, and monitoring to detect unexpected public endpoints. Open-source maintainers can help by documenting secure deployment patterns and making authentication the default configuration.

Why organizations should care: a single leaked dashboard for a fleet vehicle can reveal routes, depot locations and charging behavior. For municipal programs or businesses using self-hosted telemetry, exposure can mean regulatory, safety and reputational consequences — not just privacy violations for individual owners.

QuarkyByte's approach is to treat these issues like any other digital exposure: identify public-facing endpoints, prioritize by sensitivity and threat, and harden deployments with layered controls. We work with operators and maintainers to translate findings into concrete fixes, from simple authentication rollouts to architecture changes that keep telemetry private without breaking visibility.

The takeaway: self-hosting gives control, but it also puts the burden of security on the owner. A few configuration checks and basic network controls remove most of the risk. If you or your organization is collecting vehicle telemetry, now is the time to confirm dashboards are not accidentally exposed.