A hacker who bought some old Tesla infotainment systems has made a shocking discovery.
Tesla allows owners to retrofit Model X and Model S cars equipped with older infotainment systems with newer versions of its media control unit that offer faster performance, video streaming services, and playable video games that won't run on Tesla's first-generation infotainment system. Earlier versions of the Tesla Model 3's ICE unit also doesn't support Tesla's Full Self-Driving package.
However, a computer hacker made a surprise discovery when they bought four Tesla media control units on eBay. As reported by InsideEVs, white hat hacker GreenTheOnly found the media control units contained the previous owner's personal information. Green said every module he bought contained "owner's home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies."
This is obviously a massive security risk, as session cookies stored by Netflix and Google can allow hackers to compromise accounts. Spotify passwords were also found stored in clear text instead of being encrypted. Green obtained three ICE computers from Tesla Model 3s and an MCUv2 from a Model X. Despite the latter unit being crushed, the data was still recoverable. Tesla did not respond to the publication's request to disclose its procedure for scrapping old MCU units, but sources claim technicians either throw the replaced computers away or "hit them with a hammer a few times" before discarding them, which obviously doesn't destroy the data.
Using the data obtained by Green, InsideEVs was able to contact all four owners who previously had the units installed "This is very concerning! I do own a Tesla Model 3 and recently upgraded to Hardware 3 for FSD at my local Service Center," one owner whose data was breeched said.
"I am willing to connect with you regarding this issue as I am disturbed that something like this could happen and worried about what type of data is available to anyone willing to purchase it". In response to Green's discovery, Tesla promised it would warn at least one owner about the data breach. At the time of writing, Tesla has still not contacted them.
"Tesla did not contact me about the data breach. They should have and I hold them responsible for that," the owner said. "I also feel that they should be held accountable for this breach, especially if this happened to others. Despite this, I believe in Tesla and what they are trying to do. I do not want to harm that in any way. While I am hurt and a bit shocked, I absolutely love my car and this company."