Imagine crashing your car and someone blackmailing you with the footage later on.
As cars continue to become more advanced and stuffed full of technology, they’ve begun to catch the attention of security researchers. One analyst in particular recently purchased a salvaged Tesla Model 3 in order to conduct a series of tests, ultimately determining that the vehicle stores massive amounts of unencrypted personal data, accessible to any individual who has physical access to the car.
A researcher and self-proclaimed white hat hacker who goes by GreenTheOnly often takes advantage of Tesla’s advantageous bug bounty program. The mutually beneficial strategy helps Tesla to patch serious security bugs while rewarding the researchers who find them with thousands of dollars in reward. Recently, the researcher spoke with CNBC under the condition of anonymity, showing just how much personal data he was able to extract from salvage vehicles.
The researcher and his colleague (who has bought and repaired hundreds of wrecked Tesla vehicles) recently purchased a salvage Model 3 found in a junkyard. The vehicle would be studied by GreenTheOnly, who was able to find an alarming amount of personal data left in the car after it had been hauled away for scrap.
Using information found in the car, the vehicle was able to be pinpointed back to its owner, a construction company based in the greater Boston area. The researchers were able to gather data stored by at least 17 different devices that had been connected to the car during its lifespan, none of which were encrypted. Data included 11 phonebooks’ worth of contact information, calendar entries for the devices which paired, and even a series of email addresses. The researchers were also able to discover the last 73 locations which the driver(s) had navigated to.
But perhaps the most damning evidence found in the car was video of two separate crashes that occurred in the wrecked Model 3.
The first video showed the crash that finally brought the car to the salvage yard. The vehicle sped out of control and crashed into trees on the wrong side of the road. GPS and timestamp data was also included, showing the precise time and location of the crash.
But it gets deeper. Phone data from the time of the crash contained enough personally identifiable information to pinpoint who may have been in the car. A phone paired to the vehicle at the time happened to belong to a relative of the founder of the construction company who owned the Model 3, and incoming call logs showed that a family member had placed a call to the phone only moments before it had crashed.
A second video uncovered an earlier accident where the Model 3 sideswiped a guard rail. More video footage shows a general disregard for safety or the possibility that the person behind the wheel was driving while impaired.
Limited data can be collected by any individual willing to purchase a set of EDR cables from Crash Data Group for $995. Raw data output can be collected with Tesla’s EDR tool and then re-uploaded to Tesla’s website in order to generate a basic EDR report (a sample of Tesla’s report from a Model S can be found here). Video and other personal data can’t be collected through this method and requires a more invasive approach.
One feature which Tesla owners enjoy is the car’s recently updated Sentry Mode, a security-like application which enables event-based recording while a vehicle is parked. Specifically, the feature is meant to help capture vandals and prevent thefts. But, the cameras aren’t just recording when using Sentry Mode. In fact, there’s no way for owners to know just when their cameras—including the cabin-facing interior camera—is capturing video.
Opting out of data collection isn’t exactly as simple as one might think. Though possible, GreenTheOnly goes on to explain that one caveat of giving up data collection is also losing over-the-air software updates and other functionality which make Tesla’s vehicles highly desirable to technology aficionados.
Collected information also serves to benefit the automaker directly, protecting it against false claims of Autopilot crashes. Tesla has provided information regarding fatal crashes to the public, which allowed it to both dispel rumors and calm public opinion. Tesla has seen a decrease in use of its Advanced Driver Assistance System, Autopilot, following a recent high-profile crash. Though the data collection is important for the automaker to prevent the spread of incorrect information, it certainly raises the question of just what reasonable expectation of privacy drivers should have when owning a Tesla vehicle and opting in to data collection.
Tesla says that customers are ultimately responsible for the data stored on their cars. Should their vehicle be sold or otherwise disposed of, it’s the automaker’s belief that the owner should first factory reset their car.
“Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet,” explained a Tesla spokesperson to CNBC. “That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”
Such is true with vehicles that the automaker sells through a popular dealer-only auctioneering service, Manheim. Another tipster from the auction company told CNBC that Tesla does not wipe customer data from cars which traverse its sales block, nor do the auction’s employees. Manheim declined to comment on the validity of the claim.
The security of the data at Tesla has also been previously questioned. A publicly exposed kubernetes cluster operated by Tesla was compromised in 2018 and used to mine cryptocurrency; it was then found to be the same cluster used to house Autopilot data. In 2017, Tesla exposed a private key used by its maps server for more than a year and reportedly did not respond to reports of the vulnerability for more than two months before it was brought to public attention. There have also been reports of database dumps from Tesla, several of which include wireless networks and their corresponding passwords, all of which were stored in plain text.
Two former Tesla service employees also told CNBC that Tesla has a few built-in security features to flag customers who may have attempted to reverse-engineer their cars. Those who are flagged reportedly will not be prioritized to receive cutting-edge updates.
Still, knowing that any individual with the right skills can reveal the final moments of a car’s life could be daunting. Things people prefer to keep private—where they go, who has been in the car, or how they drive—can be exposed to the public in the blink of an eye. Celebrities and high-profile individuals in particular could shift their views of the automaker’s cars should they know that their personal data could be exposed. Even individuals who oft have nothing to hide tend to change their stance once the shoe is on the other foot.