There is evidence that Tesla did not erase the personal information of users in the replacement parts, and that the parts were “streamed” for sale online. Tesla’s media control unit and Autopilot hardware modification unit have not done enough to protect users’ personal information, according to WhiteHat hacker GreenTheOnly.
GreenTheOnly purchased four media control units and Autopilot hardware on eBay and found the user’s personal information. More worrying is Tesla’s response to the incident.
According to GreenTheOnly, he informed Tesla of the discovery before reporting to InsideEVs. But surprisingly, Tesla refused to notify all customers that might be affected in a timely manner, saying only that it would notify one of them.
GreenTheOnly disclosed to InsideEVs that all the hardware he purchased contained “cookies for the user’s home and work address, WiFi password swiphone from the phone, calendar entries, call logs, contacts, Netflix and other services.” Netflix’s cookies allow hackers to control these accounts.
Figure: Two parts that could reveal a user’s personal information
The components in question include the media control units for Model S and Model X, as well as the ICE of Model 3. In Model S and Model X, the media control unit and Autopilot hardware are independent of each other;
Although Tesla claims to be equipped with HW 3.0 components for models produced after April 22, 2019, many models later are actually equipped with lower versions of the HW. These users need to replace ICE if they want to enjoy fully autonomous driving.
“These parts cost from $500 to $150 on eBay, and more and more people are buying them for research purposes,” GreenTheOnly said. They won’t be replaced in other cars because it’s not easy. After someone asked me to help extract the stored data, I realized the problem and then purchased a part from eBay to confirm the claim. “
CNBC quoted GreenTheOnly in March 2019 as saying that the salvaged Tesla cars still had data stored. Tesla responded at the time that users could use the factory setup option to remove sensitive data stored in the car.
Users can only replace these parts through Tesla. Users often want to transfer personal information to new parts, so Tesla uses old parts installed in cars to transfer information to new parts. Once the old parts are removed from the car, the user cannot erase the data.
According to Tesla policy, the replaced parts are not owned by the user. Online sources said users would have to pay $1,000 to keep the replacement parts.
Under Tesla policy, replacement parts are reported to be destroyed first and then disposed of as scrap, which is why GreenTheOnly bought the damaged media control unit.
Pictured: Damaged Tesla Media Control Unit Components
“What I’ve learned is that staff beat parts with hammers several times before being disposed of as scrap,” GreenTheOnly said. Obviously, this is not enough to destroy the data. I’ve even seen such parts as low as $10. Parts that didn’t break are more expensive, so I suspect Tesla crews have a motive not to hit them with a hammer. “
GreenTheOnly warns that hackers can even know which service center the parts were replaced.
There are two explanations for the online sale of replacement Tesla parts: one is that the service center did not break the replacement parts as required, and the other is that technicians sell them for profit. Or maybe both.
In fact, Tesla doesn’t have to destroy the parts or charge customers $1,000 to clear the data and sell them to other users at a low price as a second-hand product.
Tesla may think re-selling the parts is not worth it, but it can commission authorized stores to erase data and sell them. In addition to addressing privacy concerns, it’s more environmentally friendly than simply throwing it away.
GreenTheOnly said Tesla users who have upgraded to HW 3.0 will need to change all passwords, and Tesla users who have not yet upgraded to HW 3.0 recommend that the on-board system be reset before upgrading.