Tesla has been throwing away computers without wiping them, leaving some customer accounts compromised. Be aware if Tesla ever had to replace your onboard computer.
With Tesla Autopilot computer upgrade and a recently announced MCU2 upgrade on top of regular replacements for performance issues, Tesla is changing a lot of computers in its vehicles today.
Now the fact that a lot of used Tesla computers are showing up on eBay raises some questions about Tesla’s process to get rid of those computers, which can often contain sensitive information, like Google or Spotify usernames and passwords.
Even more troubling, these passwords don’t seem to be encrypted.
That’s the kind of information that can be used to hack someone and can be described as compromising customer accounts.
Hacker Green acquired several of these computers and managed to find a lot of that kind of information about previous owners.
Fortunately, the first thing he did is reach out to Tesla and let them know about the vulnerability.
The automaker told him that they were launching an investigation into the issue, but the investigation didn’t seem to be taken too seriously.
Green told Electrek that when he shared the VINs of the units he had with Tesla, they told him that those units were “stolen” from them.
However, it appears that Tesla might be stretching the meaning of the word “stolen.”
Green shared proof with Electrek that these computers can be found in Tesla’s service center dumpsters.
He wrote on Twitter:
I got in contact with Tesla security via proper channels and they are looking into it. But considering units are thrown into trash as per the procedure — not even sure this can be pinned on anybody. At most, ‘Why did not you whack it with a hammer at least?’
Tesla claims that the computers are supposed to be wiped before being thrown away, but he is only aware of a reset procedure that can be done at the factory but not at service centers.
Either people dumpster dive to grab them and sell them to resellers and they end up on eBay, which is hardly “stealing,” or Tesla employees themselves sell the computers.
You can see plenty of them available for sale on the website:
Green told Electrek that he even heard about Tesla employees selling computers to third-party Tesla repairers:
I know some people on the unauthorized repair side and they say Tesla staff comes and brings such units.
He added on Twitter:
I am more worried about people already affected, cannot retroactively fix that so I tried to ask Tesla to commit to some rapid response based on whatever internal data they have. But cannot get even a timeline out of them.
not a lawyer so no idea how security breach laws apply.
— green (@greentheonly) May 3, 2020
Tesla told Green that they would contact people who are affected by this leak of information, but they haven’t given a clear timeline on that.
Electrek contacted Tesla about the issue and we will update if we get an answer.
Well, that’s dumb.
First off, these computers shouldn’t end up in dumpsters in the first place, they should be recycled, and they should obviously first be wiped. And even if these things are found, this information should be encrypted so it is at least extremely difficult to ascertain the important information, should one of them fall into the wrong hands.
There are going to be thousands of Tesla computers in that situation in the coming months, and likely hundreds of thousands over the next year. Kind of a waste of equipment, if you ask me.
Tesla needs to have a much better procedure in place before that can happen, and they need to make it right for people who have already got a computer upgrade, and let them know they must change their passwords.
If you have linked accounts on your Tesla and have had your computer upgraded, you should definitely do that.
FTC: We use income earning auto affiliate links. More.