A hacker found Spotify passwords, Gmail & Netflix session cookies, etc. on Tesla car parts sold on the e-commerce giant.
Protecting customer data should be the first and foremost priority of any and every vendor. However, high-profile companies have a bigger responsibility in this regard as their customer base is far wider and trust level exceedingly higher among the masses. This doesn’t seem like the case with electric vehicle manufacturer Tesla, Inc., according to the findings of an ethical hacker GreenTheOnly.
It started when Green discovered discarded infotainment components available for sale on eBay, which is nothing out of the ordinary. But, what makes this rather concerning is that Tesla didn’t delete the stored user data from the components.
For your information, a vehicle’s infotainment system stores information about the audio media, addresses, and phone numbers. But Tesla’s infotainment systems are quite advanced as these offer additional services like Netflix and Spotify connection.
This reminds us of a recent incident in which a German military laptop was sold on eBay for just €90 inclusive of the shipping cost. Purchased by a cybersecurity firm named G Data; it turned out that the laptop contained secret documents including military secrets.
As for Tesla, to dig deep, Green bought four MCUs (media control units) from the company via eBay and identified that the devices contained personal data of its previous user, and it wasn’t protected at all since Green could access it easily.
Furthermore, some systems contained Spotify passwords in plain text format, and Gmail and Netflix session cookies, which anyone can use to access the original owner’s account.
Moreover. previously used Wi-Fi passwords were also stored in the device. If that’s not enough, the MCU also contained call history and phone book contacts information of all the phones that have been paired so far.
The problem started when Tesla began offering Retrofit services from March 2020. While performing the upgrade, Tesla usually takes the old MCUs and replaces them with new ones.
However, the customer isn’t allowed to keep the old device, and the used components are either put up for sale or dumped somewhere near Tesla’s service centers where these get supposedly destroyed.
Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds.https://t.co/sCs7elRoyk
— green (@greentheonly) May 3, 2020
Green tried to contact Tesla but the company didn’t respond in due time, which is why he chose to disclose his findings publicly.
Tesla has to come clean about how it handles customer data from used and discarded devices, and what procedures are followed to completely remove the data as it clearly is failing to remove it appropriately.
All we can say is that if you are a user of Tesla MCU, better make sure that the data is wiped before it is replaced.