That’s because the computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash, according to two security researchers.
One researcher, who calls himself GreenTheOnly, describes himself as a “white hat hacker” and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. He agreed to speak and share data and video with CNBC on the condition of pseudonymity, citing privacy concerns.
Many other cars download and store data from users, particularly information from paired cellphones, such as contact information. The practice is widespread enough that the US Federal Trade Commission has issued advisories to drivers warning them about pairing devices to rental cars, and urging them to learn how to wipe their cars’ systems clean before returning a rental or selling a car they owned.
But the researchers’ findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via “event data recorders” there, should they need this for legal, insurance or other reasons.
At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car’s computer and knows how to extract it.
The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect.
A Tesla spokesperson said:
“Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”
Data stored on a Tesla Model S, Model X or Model 3 vehicle is not automatically erased when the car is hauled away from an accident site or sold at auction. This means personal details remain on the car, and can be learned by people who come into possession of the car or certain of its components, according to GreenTheOnly’s research.
Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars. A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars’ computers with a factory reset. Manheim declined to comment.
GreenTheOnly and fellow white-hat hacker Theo, a Tesla proponent who has repaired hundreds of wrecked Teslas, bought a totaled white Model 3 for research purposes late last year. They found the vehicle was owned by a construction company in the greater Boston area, and used by people who worked there. The construction company did not respond to multiple requests for an interview.
No comments:
Post a Comment