More and more cars are technological, with philosophies very similar to those we have in other electronic devices. In this sense, care for the privacy of users' data is essential. Apparently, Tesla has a flaw that may be disclosing data that should have been deleted. Someone discovered this flaw, bought old Tesla parts on eBay and found them full of user data.
According to an investigation, this data can be recovered even after the owners perform a factory reset.
Tesla's infotainment systems are increasingly complete. However, they do require vehicle owners to access them with their integrated data. This in-car entertainment area allows you, for example, to watch videos from Netflix or YouTube, run Spotify, connect to the Wi-Fi network and, of course, store phone numbers.
However, these benefits require the storage of a lot of personal information. At least that is what an amateur researcher found and that can reveal the most sensitive data of the owners.
User data is not erased after all
The investigator managed to gain access to 13 Tesla MCU. This is the acronym for Media Control Unit. These parts were removed from the electric cars when they were to be repaired or when they were to “slaughter”. Thus, the investigator was able to realize that each of the devices stored a large amount of sensitive information, despite having been "erased".
According to the that was described, the existing data included phone books from smartphones connected to the car, call logs, with hundreds of entries, recent calendar notes, usernames and passwords for Spotify and WiFi networks stored in open text. In addition, there were GPS routes to the owner's home, to the place of work and all the places to navigate. Finally, it was still possible to find session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).
All 13 devices showed that their last location was at a Tesla service center. Such information may reveal that these parts have been removed by an authorized Tesla technician. Tesla service stations remove MCUs for several reasons. Among the most common reasons are defects in the unit, switching to a more modern and more advanced version (when it comes to improving the vehicle's autopilot).
Private data of Tesla users on Ebay
The Investigator, with the username @greentheonly, said it obtained 12 of the units on eBay pages, how are you doing, for example. Another was obtained through a friend. According to the investigator, Tesla's official procedure requires that the removed MCUs be sent intact back to Tesla. Subsequently, damaged units must be “hammered” to ensure that the connectors are sufficiently damaged and then disposed of in the trash.
It appears that some service center employees sell units intact on the side instead of returning them (I imagine they just create a destruction / elimination record internally).
He mentioned the researcher in an interview.
In particular if you log into spotify – the password is stored in plain text. gmail and netflix are stored as a cookie but still give a potential attacker access.
The of course all recent calendar events and your phone book and calls history too.
– green (@greentheonly) May 3, 2020
Tesla's obligation to protect data
The Greentheonly discovery reveals a risk not only for Tesla owners, but for drivers of virtually any vehicle that has devices on board that store personal data or provide remote monitoring.
There are reports of users that, with cars of other brands, after delivering the rented vehicle, they still have access to the vehicle's shares, even though it is already in the hands of another customer.
Therefore, what is at stake is the weak service of those who have obligations to validate that this data is effectively deleted. And that the infotainment system will not be used by other people, having private information from the former owner or user.
The investigator said that Tesla MCUs maintain information in an SQLite database that is not erased until the blocks on the hard disk that stores it are overwritten with new data. Although a factory reset may not be foolproof, it is likely to make the recovery process difficult and time-consuming to provide a meaningful, if imperfect, defense. The ideal is to even destroy the units when they are unusable.
Read it too?