Hacker buys used Tesla infotainment components on eBay, finds previous owners Spotify passwords, Gmail & Netflix session cookies, etc.
Tesla cars are at the forefront of technological innovation. Even their infotainment system boasts of features none of the other cars can offer. You run navigation, play YouTube videos, watch NetFlix movies, run Spotify, connect to Wi-Fi, and of course store phone numbers of contacts with a tap of a button.
But what happens when you sell or scrap the infotainment system. Unlike our smartphone or PC/laptop we don’t wipe of data on an infotainment system and it can lead to some difficult situations. Most cars including Tesla don’t offer their buyers any sort of data wiping tool on their infotainment systems. The same thing happened when a hacker purchased a discarded infotainment system on eBay. He was surprised to find the user details including Gmail and NetFlix session cookies on the used Tesla infotainment parts.
Protecting customer data should be the first and foremost priority of every manufacturer. But the electric vehicle manufacturer Tesla seems oblivious to these facts according to ethical hacker greentheonly.
Green recently bought 13 Tesla media control units (MCUs) that were available for sale on eBay. Green who calls himself a “Tesla tinkerer that’s curious about how things work,” says the MCUs were probably removed by Tesla during repairs and refurbishments. What he was surprised to find that each one of the devices stored a trove of sensitive information despite being discarded.
He found all the MCUs contained phone books from connected cell phones, call logs containing hundreds of entries, recent calendar entries, Spotify and W-Fi passwords stored in plaintext, locations for home, work, and all places navigated to, and session cookies that allowed access to Netflix and YouTube with attached Gmail accounts.
But, what makes this rather concerning is that Tesla didn’t delete the stored user data from the components before scrapping them and condemning them for the second sale.
Green told Ars Technica that he got the 12 MCUs on eBay like this one. He got the 13th one from a friend. As per Tesla SoP, the removed MCUs are be sent intact back to Tesla for further use. Those that can’t be used are hammered down to ensure that connectors are sufficiently damaged and then thrown into the trash. However, in the one’s Green bought, the data was intact suggesting to the fact that some Tesla employee was making a quick buck by selling those intact MCUs on eBay.
The issue is much serious than the MCUs sold by the Tesla employee. If this data falls into wrong hands we can have a hacking incident or stalking or even serious crime. Tesla should make the employee who sold these intact MCUs answerable and develop a procedure to wipe out the Tesla owners’ data before their products are reused.