A hacker in the United States has uncovered old Tesla hardware on eBay that allegedly contains personal data from owners – including passwords, home addresses, calendar events and phone call history. Worse, the hacker claims Tesla knows about the breach but is yet to do anything about it.
An investigation jointly conducted by American website InsideEVs and Twitter user GreenTheOnly found the electric carmaker was retrofitting new media or autopilot hardware in its Model S, Model X and Model 3 cars, but failing to adequately destroy or remove customer data from the old units.
As a result, these old units were surfacing on eBay where GreenTheOnly – an anonymous hacker who runs a popular Tesla-centric Twitter account – was able to purchase four and access a wide range of personal data from previous owners.
"Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) - consider all accounts you logged into from the car compromised and change pwds," GreenTheOnly tweeted.
"In particular if you log into spotify - the password is stored in plain text. gmail and netflix are stored as a cookie but still give a potential attacker access. The of course all recent calendar events and your phone book and calls history too."
In particular if you log into spotify - the password is stored in plain text. gmail and netflix are stored as a cookie but still give a potential attacker access.The of course all recent calendar events and your phone book and calls history too.— green (@greentheonly) May 3, 2020
GreenTheOnly told InsideEVs they contacted Tesla and requested the company notify customers of the potential data breach, but alleges Tesla refused to oblige. InsideEVs reported that Tesla later agreed to inform customers, but had yet to do so at time of publishing.
Those potentially affected by the data breach include owners of Tesla Model X, Model S or Model 3 cars who have recently had their media control unit (MCU), Autopilot hardware or ICE hardware (a unit on Model 3 cars that combines MCU and Autopilot hardware) replaced or upgraded at a Tesla Service Centre.
CarAdvice understands the retrofitting program has not been undertaken in Australia. We were also unable to find any of the affected hardware units up for sale on eBay from Australian sellers – the only available units were located in the United States, with one in Lithuania.
According to InsideEVs' report, Tesla's method for protecting user data during the retrofitting process is somewhat rudimentary, with unidentified sources claiming Tesla tells service centre technicians to "throw the replaced computers away or damage them before trashing them".
Although these claims have not been confirmed by Tesla, GreenTheOnly told InsideEVs they too had heard of this policy. "I also heard a prerequisite to throwing the unit into a dumpster is to hit it with a hammer a few times," they said.
"This obviously does not destroy any data and I did see these units for sale too – at even lower prices, at times as little as $10 if you get a box full of them. Obviously, undamaged units sell for more, so I guess there's an incentive to not hit them with any hammers.”
Above: The Tesla Model 3.
It's not the first time GreenTheOnly has taken their Tesla data concerns to the media – in 2019, a CNBC report detailed the hacker's findings that crashed Tesla vehicles sold at auctions or handed to junkyards still contained unencrypted owner data.
"[I] hoped they'd start encryption of the data after that CNBC report from the last year, but nope," GreenTheOnly tweeted of the latest data breach.
"It will come for sure this time though I guess. Other than this I welcome Tesla's contribution to lowering prices on these computers on secondary market."
At the time of the CNBC report, Tesla issued a statement claiming owners were able to use the factory reset option to remove personal data from their cars.
“Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers," the statement said.
Tesla CEO Elon Musk and Tesla's global press arm are yet to issue a statement on the most recent reports.
MORE: Everything Tesla