Tesla infotainment systems from cars that were retrofitted with new hardware are ending up on eBay still loaded with all the original owners' personal information, according to a troubling new report.
A white-hat hacker who goes by Green got his hands on four such devices that were listed on eBay, including both media control units (MCU) and Autopilot hardware. Green tells InsideEV he was able to access “owner’s home and work location, all saved Wi-Fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”
It’s not uncommon for Tesla owners to have the company swap out computers on their cars for the upgraded versions, be that the MCU for Model S and Model X — which is separate from Autopilot hardware in these vehicles, InsideEV notes — or the combined MCU and Autopilot system in the Model 3 and Model Y, known as ICE. While you’d expect Tesla to erase these systems prior to offloading them, the latest find suggests that may not be the case.
This is inexcusable — Given the uncertainty, it’s best to err on the side of caution: reset your passwords for all accounts linked to the infotainment system if you’ve had this type of work done, or wipe out all of your info ahead of time if you’re scheduling a retrofit. After all, much of the information kept in these systems is extremely sensitive.
Spotify credentials, for example, are stored in plaintext, Green found. That essentially leaves the door open for anyone to view account information which could include payment details. Other things like Gmail and Netflix “are stored as a cookie but still give a potential attacker access,” Green noted on Twitter, adding that this includes “all recent calendar events and your phone book and calls history too.”
Tesla’s procedure is reportedly to have technicians throw out the old computers after removing them, in some cases telling employees to first destroy the unit by hitting it with a hammer, according to InsideEV. That, obviously, is not a perfect method for ensuring junked hardware won’t be compromised.
Tesla doesn't let you keep the removed parts, either (at least not for free), though it’s said to allow owners to do so if they're willing to pay $1,000. The company did not respond to the publication’s request for comment or for more information on its policy surrounding these issues to confirm.
It's a shocking oversight — Tesla has made no moves to notify the affected individuals after the issue was brought to the company’s attention, Green told InsideEV, though it did say it would get in touch with one of the customers (it didn’t). The publication contacted them directly instead.
Customers should not have to worry that they could become the victim of hackers as a result of a standard parts upgrade. Old Tesla computers go for under $500 on eBay, to as little as about $150, according to Green. That makes it pretty easy for this to fall into the wrong hands. Unfortunately, Tesla doesn’t seem very concerned.