Tesla’s retrofitting service for media control units (MCU) and Autopilot hardware may not go far enough in protecting owners’ personal data. That’s according to white hat hacker GreenTheOnly, whom obtained four units of these Tesla computers off eBay and found the previous owners’ personal data still on them. Even more worryingly, though, Tesla have failed to notify customers that might be affected.
Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds.https://t.co/sCs7elRoyk
— green (@greentheonly) May 3, 2020
Businesses and consumers need to recognize that, just like with laptops, any piece of software is capable of collecting personal data. The more sophisticated and connected the device, the greater the potential for it to contain logs and settings which could place the consumer at risk when the device is resold or recycled. With cars becoming ever more connected and offering increasing information to drivers and passengers, manufacturers like Tesla, dealer networks supporting any manufacturer and neighbourhood mechanics are in a position to access the personal information stored within the multitude of computers within a modern vehicle. Limiting this access, and taking care to ensure stored data is deleted during computer replacement should be a high priority for the automotive industry as we move closer to a world where connected cars are the norm.
Second-hand electronics can be a treasure trove of information for criminals. If organisations do not adequately wipe previous information, any information stored relating to previous owners or organisations can be viewed, resulting in a security and privacy breach. It\’s therefore essential that organisations which provide devices have mechanisms that allow users to easily and securely erase all data contained prior to returning or selling it.
Tesla always push boundaries of driverless technology, so it’s quite unexpected to hear of data leakage of personal data from automotive components like this, especially those at the edge of powerful online network systems that drive modern intelligent vehicles. The question on my mind is, could Tesla avoid personal data storage like this using modern data-centric security technology? Very probably. There are new data security methods that are ideal for dynamic edge telemetry systems and online analytic platforms to avoid retention of personal data while still enabling full customer experience, engagement, and even machine learning analytics without live data leakage risks. That would take care of both the disposal and recycling of parts, but also a myriad of security and privacy compliance issues and data breach risks for them.
Tesla seems to have an operational security issue at its service centres that allow its computers to be resold without wiping the previous owners data. The service centres are either not destroying them well enough to make data unrecoverable, or technicians are selling the old computers to make a profit, or both. If you plan on upgrading the computer in your Tesla, be sure to use the factory reset option to wipe all of the data beforehand.