Tesla Leaked Car Owners' Passwords

Tesla Leask Passwords

Where do you need to go if you want to get your hands on other people's personal data? Well, the dark web hosts a number of marketplaces where cybercriminals sell people's information and login credentials. If you know your way around specialized search engines like Shodan, you can also find servers full of millions of records that are not protected by a password. As it turns out, you can find private data and passwords in old Tesla infotainment systems sold on eBay as well.

A security researcher finds old Tesla computers that contain tons of private information

A security researcher and Tesla owner known by his Twitter handle, @greentheonly was wondering about the inner workings of the infotainment systems fitted in cars built by the world's favorite EV manufacturer. Perhaps not surprisingly, he decided not to poke through the computer of his own car and instead opted to buy a handful of second-hand units from eBay. The devices were relatively inexpensive, and one of the modules was even damaged, which made it especially cheap. The data that was stored in them, however, was rather valuable.

All the infotainment systems contain a host of private data that belongs to the previous owners. This includes home and work locations, Wi-Fi passwords, call lists, address books, and calendars synchronized from paired mobile phones, and session cookies for various online services. These session cookies would have allowed Green to hijack people's Netflix and Gmail accounts, and he would have had an even easier time altering their Spotify playlists because the passwords for the music streaming service were stored in plaintext inside the infotainment systems.

Thankfully, he had no intention of violating strangers' online privacy, which is why he shared his findings with InsideEVs.com, and he eventually managed to reach the previous owners of four of his eBay-sourced devices. Their stories prove that the leak happened not just because of questionable design decisions regarding the security of the units.

The units shouldn’t have appeared on eBay at all

The previous owners can not be blamed for the leak in any way. They didn't rip the units from the cars themselves. Instead, they participated in a program organized by Tesla in which the EV manufacturer retrofits newer, improved computers to some of the older cars. It all has to do with addressing performance issues with the old systems that can't be fixed with an over-the-air update, and Tesla is doing the retrofit for free.

A seamless transition means transferring the car owner's personal data from the old computer to the new one. For whatever reason, however, Tesla won't let the owners get their old devices back. Instead, it keeps the units, and according to InsideEVs.com's sources, the policy in Tesla's service centers dictates that technicians must damage the obsolete computers before throwing them away.

The fact that Green bought at least three units in pristine condition from eBay shows that this policy is not followed closely. The fact that a damaged one still leaked the previous owner's data shows that the policy isn't working at all.

Tesla buries its head in the sand

Predictably, the owners InsideEVs.com and Green spoke to were pretty upset, but it looks like Tesla isn't too keen on doing anything to calm them down. Before reaching out to InsideEVs.com, Green tried to contact Tesla himself, but Elon Musk's company ignored him. The manufacture did respond to InsideEVs.com, and it promised that it would contact at least one of the four owners whose data was found by Green. A week later, however, the owner herself said that she hadn't heard a word from Tesla.

InsideEVs.com also asked some questions about who is responsible for this gross violation of privacy and about the device's data storage mechanisms. Tesla chose to ignore them.

Modern cars have turned into much more than merely a way of getting from A to B. In much the same way, modern car manufacturers are not just profitable corporations whose sole responsibility is to keep the shareholders happy. Like it or not, they are now in charge of, among other things, keeping our data safe, and it's clear that in this particular case, Tesla failed to do it rather spectacularly.

May 7, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.