Tesla Discarded Old Car Parts With Customer's Personal Data, Passwords: Report

Hardware handled by a Tesla service center was available to buy on eBay—with sensitive data on it.

via Tesla, Netflix (Render)

Tesla is under fire once again over customer data concerns after an automotive security researcher was able to obtain personal details from vehicle parts reportedly discarded by Tesla following upgrades and repairs on customer vehicles.

News of researcher GreenTheOnly's discovery was published over the weekend by InsideEvs, showing that a number of Media Control Units (MCU) purchased online still had customer data intact. In particular, the MCUs recovered had saved WiFi and clear-text Spotify password, calendar appointments, phone numbers, address books, as well as session cookies stored by both Netflix and Google, which could potentially allow a bad actor to gain access to accounts.

To make matters worse, the discarded hardware obtained by the researcher appears to have come after it passed through Tesla's hands.

Using data from the MCUs that were obtained by the researcher, InsideEVs was able to contact all four individuals who previously had them installed in their vehicles. According to the report, all four owners are from California and at least three had their MCUs replaced by Tesla service. InsideEVs says that after being informed of the data leak, Tesla committed to revealing the information to at least one of the affected customers identified by the researcher, however, the customer indicated that Tesla had not reached out as promised.

Tesla owners might bring their vehicle into Tesla for a number of reasons which would prompt the automaker to replace one of the vehicle's computers. In older Model S and Model X, an owner with an older MCU might require a new version to fix an issue caused by excessive logging, or perhaps because the infotainment screen had developed a yellow tinge. Model 3 owners may need to have their computers (ironically called an ICE rather than an MCU) upgraded if they purchased an early version of the car and planned to utilize Tesla's Full Self-Driving package.

After the MCU/ICE is upgraded at a Tesla service center, the owner can either pay a $1,000 core fee to keep the old component, or the part will remain with the technician to seemingly be destroyed. According to InsideEVs, Tesla did not respond to requests regarding its standard procedure for disposing of old MCUs, however, sourced reportedly indicated that it is common practice for employees to "hit it with a hammer a few times" and throw it in a dumpster, which obviously doesn't destroy data. The researcher behind the project theorizes that these units are then recovered by dumpster divers, or are perhaps blatantly sold by employees instead of following what is believed to be the proper procedure.

Even if a customer factory resets their vehicle, the programming does not securely wipe the data.

While the software does delete the database that the information is stored in, it does so only by marking the block available to write to, meaning that the old data is still recoverable until the block of memory is reused. This isn't exactly an uncommon method of handling deleted files, however, one might expect their data to be securely wiped. A secure wipe would mean zeroing out (erasing) the block, writing a random character to it, and then zeroing again. This practice is seeming not followed, as the data is still recoverable using forensic recovery tools.

This isn't the first time a concern like this has come up with Tesla. In March 2019, the automaker was chastised after data found by the same researcher indicated that similar unencrypted data (and video footage) remained on vehicles after they were salvaged. According to the researcher, Tesla has still not encrypted customer data on any of its vehicles.

capture via CNBC

The last moments off a salvaged Tesla

Aside from paying the core charge and destroying the hardware yourself, there doesn't seem to be a clear solution to this problem, at least not at this time. Tesla's private decommissioning procedure doesn't seem to be absolving it of the responsibility of customer data handling, which means that owners should weigh the need to bring their vehicle in for MCU service until more on this topic is known. For now, those who have had an MCU upgraded or replaced should consider changing any password shared by a service used on their Tesla vehicle.

Tesla did not respond to The Drive's request for comment at the time of writing.

Got a tip? Send us a note: tips@thedrive.com