Tesla vehicles carry a veritable treasure trove of unencrypted personal data — data accessible to anyone who knows how to extract it, even if the car is wrecked.
According to a CNBC report, two researchers who described themselves as “white hat hackers” were able to extract unencrypted location, camera and other data from a wrecked Tesla Model 3.
Unfortunately, this isn’t a problem exclusive to Tesla vehicles, and the report stands as a reminder that newer cars can pose a significant security risk when sold or totalled.
The researchers say they purchased a wrecked Model 3 in late 2018. They were able to access the car’s computer and uncover the data. Much of it had come from other devices — a construction company owned the vehicle, and several different employees likely drove it and connected their phones, syncing data to the car’s computer.
The researchers found 11 driver or passenger phonebooks, complete with numbers, email addresses and calendar entries. Additionally, the researchers could access the last 73 locations entered into the car’s navigation system.
On top of that, the car’s computer also had footage from the Model 3’s cameras, including a forward-facing view of the crash that totalled the car and a previous crash that wasn’t as serious.
This isn’t isolated to the Model 3 either. One of the researchers told CNBC that he found similar data on other Tesla vehicles, including a Model S, Model X and other Model 3s.
A widespread problem
Many new vehicles have similar data retention issues. Tesla vehicles tend to collect more data thanks to the extra sensors and cameras used for features like Autopilot, but there many other, more severe problems.
For one, The Verge reported last May that a former Volkswagen owner could still access the location of her Jetta months after selling the car.
The problem also affects rental vehicles. CNBC noted in its report that the U.S. Federal Trade Commission (FTC) recommends users be cautious with their information when renting. Connecting a smartphone to a car could leave a significant digital footprint behind.
Vehicle manufacturers tend to shift the burden of privacy to consumers. In the case of the Jetta owner, Volkswagen puts the onus on the customer to wipe their data before a sale, even if that sale is to a dealership. In other words, consumers should treat vehicles like a smartphone and wipe it before selling it.
Most new vehicles do include options for wiping and factory resetting the computers used to power infotainment and navigation systems. However, users may not be able to access that option.
In cases like that of the Model 3 CNBC reported on, drivers likely aren’t worried about factory resetting their car after a collision. Worse, severe crashes could damage the car’s screen, making it impossible to factory reset it without additional hardware.
Ultimately, it’s a problem that needs more than just customers dealing with it. Vehicle manufacturers and regulators need to be conscious of the issue and think about how to protect data stored on vehicles.