Hybrids & Electrics

Fast And Loose With Customer’s Personal Info Tesla Gives Hackers A Gift

This should never have happened and Tesla knows it. Over the years Tesla has replaced infotainment systems in both Model S and Model X EVs for a variety of reasons. But now it seems that Tesla did not swipe personal information from the previous owners’ media control units before selling them. Four were recently sold on eBay and all four were found to have the previous owner’s personal information. This included home and work locations, saved wifi passwords, phone calendar entries, call lists, and address books from paired phones, Netflix, and more. Tesla’s fast and loose handling of customer’s personal info contained on the old units gives hackers a gift.

Tesla offered different upgrades by swapping out control units

The interior of a Tesla Model X
A Tesla X interior | Valentin Flauraud/Bloomberg via Getty Images

Tesla has offered owners of older Model X and Model S cars with the first version of infotainment systems to swap for newer versions. These have faster performance, video streaming, and the ability to play video games that previous units didn’t offer. And Tesla’s Model 3 ICE unit lacks the Full Self-Driving features of later units so they also got replaced. 

A hacker named GreenTheOnly recently purchased four old Tesla control units from eBay. Digging into them found they all contained a massive amount of personal info from previous owners. Session cookies from NetFlix and Google, unencrypted Spotify passwords, and other info. All of it severely compromised the former owner’s security.

Tesla has not contacted the owners about the breach

“I am willing to connect with you regarding this issue as I am disturbed that something like this could happen and worried about what type of data is available to anyone willing to purchase it,” Green told previous owners according to InsideEVs. After the error was reported to Tesla it said it would contact owners about the data breach. As of today has not done so. 

An MCUv2 for a Model X had been purchased crushed. In spite of the extensive damage to the unit the data it contained was still recoverable. Sources told InsideEVs that Tesla technicians will sometimes throw them away or “hit them with a hammer a few times.” Then they will dispose of them. Obviously, smashing them does not affect the data within.

Tesla's Autopilot Technology
Tesla’s Autopilot Technology | David Paul Morris/Bloomberg via Getty Images

The owners of the discarded units were obviously not happy

Four of the owners were contacted and needless to say, they were not happy. One owner said, “This is very concerning. I do own a Tesla Model 3 and recently upgraded to Hardware 3 for FSD at my local Service Center.”

Another one of the previous owners said, “Tesla did not contact me about the data breach. They should have and I hold them responsible for that. I also feel that they should be held accountable for this breach, especially if this happened to others. Despite this, I believe in Tesla and what they are trying to do. I do not want to harm that in any way. While I am hurt and a bit shocked, I absolutely love my car and this company.”

With this breach being made public let’s hope that this is the end of Tesla discarding ECUs and other components that contain personal data.