Security experts have discovered old Tesla car parts for sale on eBay still containing user data belonging to the previous owner, in a sign that the firm’s retrofitting service is failing customers on privacy.
A white hat known as GreenTheOnly explained that media control units (MCUs) and autopilot hardware (HW) swapped out of old models by Tesla during upgrades were turning up for sale online.
Even worse, the four he bought contained: the previous owner’s home and work address, all saved Wi-Fi passwords, calendar entries, call lists and address books from paired phones and Netflix and other stored session cookies.
When Tesla agrees to retrofit a customer’s car by upgrading such components, it takes the old units for disposal — customers aren’t usually allowed to keep them. However, the researcher’s discovery means that technicians are either selling them online, or eagle-eyed hunters are going through dumpsters near Tesla service centers, or both, according to InsideEVs.
The car firm has not responded to the title’s request for more comment on its process for disposing of old parts and why it doesn’t erase user data first. However, a source told the publication that technicians were being told merely to hit units with a hammer a few times before throwing them away.
In the meantime, the carmaker appears not to be notifying customers whose data may have been exposed in this way. Users who have had retrofitting are therefore advised to change all relevant passwords on their devices and online accounts.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center) argued that the more sophisticated the device, the greater potential for it to contain data that may place user privacy at risk after recycling.
“With cars becoming ever more connected and offering increasing information to drivers and passengers, manufacturers like Tesla, dealer networks supporting any manufacturer and neighborhood mechanics are in a position to access the personal information stored within the multitude of computers within a modern vehicle,” he added.
“Limiting this access, and taking care to ensure stored data is deleted during computer replacement, should be a high priority for the automotive industry as we move closer to a world where connected cars are the norm.”
It remains to be seen whether Tesla's actions attract the attention of Californian data protection regulators.