Skip to main content

Tesla Model 3 hack shows new cars can snitch on owners after a wreck

Tesla Model 3 hack shows new cars can snitch on owners after a wreck

/

Researchers found unencrypted crash footage, navigation data, and more on a salvaged car

Share this story

Illustration by Alex Castro / The Verge

Two security researchers and self-described “white hat hackers” found a trove of unencrypted location, camera, and other data on a wrecked Tesla Model 3, according to a new report from CNBC. And while it’s not a problem unique to Tesla, the example serves as a stark reminder that newer cars can become a security risk for former owners, regardless of whether they’re sold or wrecked.

The two researchers say they bought a totaled Model 3 in late 2018. When they accessed the car’s computer, they found unencrypted data from “at least 17 different devices,” according to the report. (The car had been owned by a construction company and presumably used by multiple employees.) That included 11 driver or passenger phonebooks, with numbers, email addresses, and calendar entries intact. The researchers also gained access to the last 73 locations that had been plugged into the car’s navigation system.

“I’m really surprised to learn that they would handle data so carelessly.”

In addition, the car’s computer still contained footage from one of the Model 3’s seven cameras. This included the forward-facing view of the wreck that totaled the car, as well as a clip of a previous crash that was less serious.

One of the researchers told CNBC that he found similar data from other Tesla vehicles, too, including a Tesla Model S, Model X, and two other Model 3s. “Given how technically sophisticated Teslas are, I’m really surprised to learn that they would handle data so carelessly,” Ashkan Soltani, a security researcher and former chief technologist for the FTC, said in an email to The Verge.

In a statement, Tesla said it offers customers the option to delete personal data by performing a factory reset on the vehicle. The company says it’s “always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”

Newer vehicles are able to store a ton of both personal and vehicle data. Tesla’s cars tend to collect and store more vehicle data because they’re outfitted with more sensors, but the issue of data retention is widespread. Last May, a former Volkswagen owner told The Verge about how she could still access the location of the Jetta she sold months after the transaction, for example.

As CNBC points out, personal data retention is a problem more readily associated with rental cars. The Federal Trade Commission has repeatedly reminded consumers to be careful with their information when renting. But as cars are outfitted with ever more sensors and computers, those that have been sold or crashed now contain far more granular data about an owner than what’s generated over a few days in a rental.

Car owners need to treat new cars like smartphones and wipe them before a sale

The problem with all this “data waste” is that some manufacturers shift the burden for privacy to consumers. The Jetta owner, for example, didn’t know Volkswagen puts the onus on the customer to wipe their data before selling their car — even if it’s being sold back to a dealership. So new car buyers should start treating vehicles like they would a smartphone and be sure to wipe any data before selling it to anyone.

“I do think automakers should be taking steps to make sure that information isn’t available to unauthorized access (secondary owners or used car dealerships, for example),” Soltani writes. “Location and contacts are incredibly personal and sensitive, [and] I think it’s problematic to leave that information laying around. Specially given that unlike mobile phones, cars typically stay in circulation for decades.”

Even if they behave perfectly, car owners don’t always necessarily have control over the situation. In a crash like the one CNBC reported on, the last thing an owner is likely going to think about after slamming into a tree is that they need to factory reset their car. And depending on the severity of the crash, the car’s screen may not even work, making doing so impossible without extra hardware.

So as cars continue to collect more and more data, everyone — from the companies that make them, to the people who buy them, to the regulators overseeing the evolving market — needs to think a little harder about how to make sure that data doesn’t wind up in the wrong hands.