- A white-hat hacker discovered that Tesla isn’t wiping data when it replaces old hardware in customers’ vehicles, InsideEVs reported Sunday.
- After purchasing the used hardware on eBay, the hacker was able to access previous owners’ physical and email addresses, phone contacts and call history, and even Netflix session “cookies,” according to InsideEVs.
- Some units had been smashed, suggesting Tesla technicians had unsuccessfully attempted to clear the data by physically damaging them, InsideEV reported.
- This isn’t the first privacy concern the hacker has unearthed in Tesla’s technology, CNBC reported, while consumer watchdog group Which? found that other automakers’ on-board computers are hackable as well.
Tesla owners who have had their on-board computers replaced may also need to worry about their personal information being for sale online, InsideEVs reported on Sunday.
White-hat hacker GreenTheOnly told InsideEV that he was able to purchase four used Tesla media control units (MCUs) from eBay and access their previous owners’ information, which he said included “home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”
When Tesla owners sync their phones or third-party accounts like Netflix and Spotify to their vehicles, the MCUs store that information, but some older model Teslas experienced issues with the computers and their owners had to get them replaced.
However, after migrating customers’ information to replacement computers, Tesla hasn’t been properly wiping data from the old units, and since the data is stored unencrypted, GreenTheOnly was still able to gain access to it after buying the units online, according to InsideEVs
Technicians had been instructed to damage the MCUs before pitching them, InsideEVs reported, a policy GreenTheOnly said was ineffective: “I also heard a prerequisite to throwing the unit into a dumpster is to hit it with a hammer a few times. This obviously does not destroy any data and I did see these units for sale too.”
GreenTheOnly had previously discovered that customers’ personal data could be obtained from crashed Tesla Model S, Model X and Model 3 vehicles purchased from salvage yards for research and testing, CNBC reported.
As more vehicles become wired with on-board computers that connect to the internet, Tesla as well as other automakers are increasingly dealing with security vulnerabilities that could impact drivers’ safety and privacy. UK consumer watchdog group Which? found flaws present in the on-board computers for Ford and Volkswagen models that could allow hackers to manipulate safety features.
Tesla did not respond to a request for comment on this story.