Enlarge /. In a Tesla.
Tesla infotainment systems are a miracle. Among other things, they display Netflix or YouTube videos, run Spotify, connect to Wi-Fi and of course store phone numbers of contacts. However, these benefits require storing a lot of personal information that an amateur researcher has found to reveal the owner's most sensitive data.
The researcher, who described himself as "Tesla hobbyist who is curious about how it works", recently gained access to 13 Tesla MCUs – short for media control units – that were removed from electric vehicles during repairs and renovations. Despite retirement, each of the devices stored a lot of confidential information. Examples of this included telephone books from connected mobile phones, call logs with hundreds of entries, current calendar entries, Spotify and W-Fi passwords stored in plain text, locations for home, work and all the places to which people were navigated, and session cookies that access Netflix and enabled YouTube (and attached Gmail accounts).
All 13 devices showed that their last location was in a Tesla service center, indicating that they were removed by an authorized Tesla technician. Tesla gas stations remove MCUs for several reasons. Most often, a faulty device is replaced or upgraded to a newer, more advanced device model that improves the vehicle autopilot.
Your data on eBay
The researcher, who goes to the handle greentheonly, told me that he had received 12 of eBay's units from sites like this. He got the other from a friend. Based on his discussions, he believes that the official Tesla process requires that removed MCUs be returned to Tesla intact and damaged units broken in to ensure that the connectors are adequately damaged and then thrown in the trash.
"It looks like some service center employees are selling intact units on the side rather than returning them (I imagine they are just keeping a record of internal destruction / disposal)," the researcher said in an interview. "I know some people who run salvage yards that say this is a source of units that they offer for sale."
Tesla representatives did not return an email asking how the company handled MCUs that were removed from vehicles.
The discovery of greentheonly shows a risk that not only exists for Tesla owners, but also for drivers of practically all vehicles that have devices on board that store personal data or enable remote tracking. A man who rented Enterprise Rent-a-Car Ford vehicles reported that he could start, stop, lock, and unlock the vehicles remotely long after he had used them not just once but a second four months after had returned to the first. As with Tesla MCUs that are making it back to the market, the failure of landlords to oblige employees to completely erase infotainment systems from all data from previous customers is a security and privacy risk that can be easily avoided.
The moral of these stories is that it is up to the individual to do factory resets when selling a car, returning a rental vehicle, or maintaining an infotainment system. Even then, there is no guarantee that previously saved data cannot be restored. The researcher said that the Tesla MCUs store information in a SQLite database that is not deleted until new data is overwritten on the hard drive blocks in which they are stored. Resetting to factory settings may not be easy, but it will likely make the recovery process difficult and time-consuming enough to ensure a meaningful, if incomplete, defense. If possible, this should really destroy the units in a safety-conscious manner.