According to white hat hacker GreenTheOnly, Tesla forgot to wipe personal information of customers from previously used infotainment and Autopilot hardware.The discovery came about after Green found and purchased four pre-owned Tesla components from Ebay.
“Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds,” said Green in a Twitter post on May 3.
While normal vehicle infotainment systems can store phone numbers, audio media and addresses, Tesla components also enable access to video- and audio-streaming platforms such as Netflix and Spotify.
In some of the systems, the researcher found Netflix session cookies that could be used to gain access to the owner’s account, while others included stored Gmail cookies, WiFi passwords and Spotify passwords in plain text.
“In particular if you log into spotify – the password is stored in plain text. gmail and netflix are stored as a cookie but still give a potential attacker access. The of course all recent calendar events and your phone book and calls history too,” Green added.
The company says upgrading a car’s hardware to gain access to new features and upgrades is performed in Tesla service centers, and owners can also request the transfer of their personal data and preferences to the new installations.
While service centers should destroy any pre-owned hardware, or at least wipe existing personal information, it is unclear how the hardware found its way onto the Ebay marketplace.
Green also notified Tesla representatives of his findings.However, the company failed to notify affected customers, and has yet to release an official statement.
Tesla owners that wish to sell their vehicles are advised to manually wipe the data from their infotainment systems, and should they opt for upgrading their car with new fittings, they should make sure that the service center properly disposes of the hardware and deleted any existing information.