There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.
Prices on eBay for these units started to drop from more than $US500 ($771) to $US300 ($463) then $US200 ($308) then $US150 ($231) and so on, so more and more people started to buy them for research. They are useless in car repairs because there’s no easy way to use them in other cars. Since you need specialised knowledge to get started, some of those people turned to me and other ‘hackers’ to help them get started. Some units were sent to me to extract data out of them to bootstrap some research too. This is when I became aware of the data leakage happening. I then purchased a unit on eBay to confirm it works exactly like that. And it sure does.
There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.
Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:
every time a model3 wakes up – a screenshot of the display is captured and stored on EMMC. I guess this was some sort of powermanagement debugging thingie that somebody forgot to disable? MCU2 does not do that.
Last 50 such snapshots are stored. We'll see what else I find. pic.twitter.com/LvCpocJ58k
— green (@greentheonly) May 3, 2020
…to far more compromising data, which he described to InsideEVs:
“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”
That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.
Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:
Particularly annoying since I hoped they'd start encryption of the data after that CNBC report from the last year, but nope. It will come for sure this time though I guess.
Other than this I welcome Tesla's contribution to lowering prices on these computers on secondary market.
— green (@greentheonly) May 3, 2020
The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.
When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $US1,000 ($1,542) fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.
InsideEVs attempted to contact Tesla and ask them why they don’t encrypt the data, or at least destroy it before discarding the old computers, and if they have any plans to improve their practices in the future, but, unsurprisingly for those of us who have attempted to contact Tesla in the past year or so, they received no response as of press time, and, if I had to bet, they won’t.
So, the takeaway here for Tesla owners is that, I suppose, if you’re replacing your car’s computer, do not expect that any of your information will remain secure.
If you can get access to your original computer, either by angrily paying a grand to Tesla or digging it out of your service centre’s dumpster, you can try to really destroy it, maybe with an acetylene welding torch or something.
Beyond that, Tesla does not appear too concerned about your privacy, and, considering they haven’t really addressed the privacy issues Green and CNBC brought up last year with used Teslas, I wouldn’t suggest any breath-holding.
This is a very different world of car parts and repair than we’ve really encountered before. Sure, buying parts on eBay can reveal information about who had that part before you, but that’s usually limited to finding a wadded-up Taco Bell wrapper inside an old VW heat exchanger. These kinds of data vulnerabilities are serious, and Tesla needs to address them.