Buy Tesla spare parts on eBay, find them full of sensitive data: that's what happened

The infotainment systems of modern cars can become truly complete multimedia and communication centers, with that of Tesla to represent a sort of point of reference in the sector, for completeness and user involvement. The communication features integrated in the cars or, in Tesla's own case, the possibility of using streaming services such as Netflix and YouTube, implies that a lot of personal and sensitive information is saved on the on-board systems, with all the risks involved.

Risks that a user passionate about the subject has clearly highlighted or, as he himself prefers to define himself as "a Tesla geek curious to understand how things work". The individual, who allows himself to be recognized only by the nickname "greentheonly" he told on his Twitter account to have come into possession of 13 Media Control Unit of Tesla cars, removed from vehicles during repair, update or reconditioning operations.

Each of these units, says the user, contain a real swag of sensitive information: phone books of the cell phones that have connected to them, call history, appointments, passwords of WiFi networks and users of streaming services (saved in plain text), addresses of homes, workplaces and in general all places where you went and session cookies that allow access to Netflix, YouTube and Gmail accounts.

All 13 units showed as the last registered location that of an authorized Tesla service center, indicating that the removal of the same occurred by an authorized technician and probably in the context of a legitimate intervention. The units would have been removed for various reasons, but the most common are those that involve replacing a defective device or upgrading to a new model to improve functionality, such as autopilot.

Greentheonly claims to have recovered almost all units on eBay, while only one was recovered by an acquaintance. Based on the information he collected, he believes that Tesla's official procedure requires that the removed MCUs must be sent intact and without modification to the parent company, while the damaged ones must be treated so that the connectors are rendered useless and therefore thrown away. According to the "geek" for, it seems that some employees of authorized service centers they claim the units intact instead of returning them to the parent company, tracing them internally as specimens intended for demolition. And some of these units, it seems, can also be found at the junkyards.

Although the particular case calls Tesla specifically, this actually concerns all the owners of any vehicle equipped with on-board devices with advanced functions which presuppose coming into contact with the user's sensitive data. In this regard, one can cite the case, which emerged in the recent past, of a man who after returning a rented Ford vehicle was able to start, switch off, lock and unlock the vehicle remotely 4 months after use. These are non-negligible security and privacy risks which could easily be neutralized if, for example, the employees of the car rental agencies were responsible for carrying out a reset of the infotainment systems at the end of each rental session.

In general, however, that in the current state of affairs it remains for the individual user to take on the task of carrying out a factory reset when you sell a car, return it after a rental or have the infotainment system maintained. However, as greentheonly himself observes, this measure alone does not guarantee to make the data totally unrecoverable: the information stored by Tesla's MCUs is found in a SQLite database that is deleted only when the hard disk blocks that contain it are overwritten with new data. In any case, the simple reset would already imply a greater effort for those wishing to try to recover the contents, and therefore represents a useful though not perfect form of defense. The alternative, of course, is the physical destruction.