Wrecked Teslas hang onto your (unencrypted) data

A Tesla gets run down by a truck hauling a jet engine. Ouch.

The car winds up in a salvage lot in Maryland. The driver, hopefully, doesn’t wind up in a hospital. But the video of it all remains, safe and sound, on that wrecked car, unencrypted and available for all to see.

If you want to see the video of a Tesla and its collision with a jet engine, or videos of Teslas careening off of snowy roads and/or plowing into trees, you can check out #TeslaCrashFootage on Twitter.

You’re able to do so because crashed Teslas being sold at junkyards and auctions are retaining what CNBC says is “deeply personal” and unencrypted data, including video from the car’s cameras that show what happened moments before the accident.

The unencrypted videos – plus phonebooks, calendar items, location and navigational data – were extracted by a security researcher who calls himself GreenTheOnly. The researcher retrieved the content from Model S, Model X and Model 3 vehicles purchased for testing and research from salvage.

GreenTheOnly, who identifies himself as a white hat hacker and a Tesla fan who drives a Model X, agreed to speak with CNBC and to share data and video with the news outlet on the condition of “pseudonymity,” citing privacy concerns. CNBC identifies the researcher as a “he,” so we’ll follow suit. He’s reportedly made tens of thousands of dollars from Tesla bug bounties in recent years.

Tesla’s split personality WRT privacy

Leaving data unencrypted on a car that’s headed to the junkyard isn’t exactly consistent with how tight-fisted Tesla is with privacy under other circumstances. Tesla drivers involved in car crashes say that they’ve had to wrestle to get data upon request, particularly when they don’t see eye-to-eye with Tesla about whether the crash was due to driver error or defective technology, as Consumer Affairs reported last year.

In January 2018, three people complained that their Tesla Model S surged on its own as they were about to park. A Tesla rep refused to give one of those people a computer-generated report, one driver said, in spite of the gobs of data that Tesla collects.

Consumer Affairs quoted a report from a Miami Beach couple whose inquiries for data from their car’s computer was rebuffed by Tesla, who told them to go get a subpoena if they wanted the data:

They advised that the throttle went suddenly from 2% to 97%, and then the brake was applied, but when I asked for more details about the approach to the parking space, for a copy of the report they said they would not provide it without a subpoena.

Tesla has used the “get a lawyer” approach in previous cases of people wanting to see their cars’ computer data. When Consumer Affairs asked the company why Tesla would force drivers to file for a subpoena to get at their own data, a spokesperson said it has to do with keeping the data private… apparently, even from the customers themselves. Here, they referred to the company’s customer privacy policy:

We handle all customer data in accordance with our Owner’s Manual and privacy policy, which clearly outlines the type of data we collect and the lengths that we go to protect a customers’ privacy in the process.

The company also directs customers to fork over $995 to a third-party vendor called Crash Data Group, which sells cables that might – there’s no guarantee – capture the data associated with an event in question.

An expensive hoop to jump through, that, and one that would seem superfluous, given that Tesla engineers apparently already have computer data concerning crash causes. From Consumer Affairs:

Tesla engineers have given consumers… the impression that they already have extensive data, not just about the crash itself but about the actions that drivers took leading up to the crash.

According to GreenTheOnly’s research, that data stays on the Tesla Model S, Model X or Model 3: it’s not automatically erased when a car is hauled away from a crash site or auctioned off.

A former employee of Manheim – an automotive auction company that Tesla sometimes hires to inspect, recondition and sell used cars – told CNBC that employees don’t do a factory reset on the cars’ computers.

In one instance late last year, GreenTheOnly and fellow white hat hacker Theo – who’s repaired hundreds of wrecked Teslas – bought a totaled white Model 3. It had been owned by a construction company somewhere around Boston and had been used by various employees, the researchers discerned. In fact, they found that the car’s computers had stored data from at least 17 different devices, none of it encrypted.

Mobile phones or tablets had paired to the car around 170 times. The Model 3 held 11 phonebooks’ worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited.

The data also showed the drivers’ last 73 navigation locations including residential addresses, the Wequassett Resort and Golf Club, and local Chik-Fil-A and Home Depot locations.

The wrecked car’s computer still contained footage from one of the Model 3’s seven cameras, including the forward-facing view of the wreck that totaled the car, plus a clip of a previous, less serious side rail scrape.

Leaving personal data on cars is generally associated with rental cars. As CNBC points out, the Federal Trade Commission (FTC) has repeatedly warned drivers about pairing their devices to rental cars and has urged them to learn how to wipe their cars’ systems clean before returning a rental or selling a car.

The Verge points out that rentals don’t collect nearly as much data as cars that are driven for longer periods by those who own them. Plus, the data they collect is growing ever more granular, given the growing number of sensors and computers they’re outfitted with.

It’s not too late to wipe it, wipe it good

As one security researcher noted, for better or worse, the car manufacturers are putting the onus for data wiping on consumers. The Verge quoted Ashkan Soltani, a security researcher and former chief technologist for the FTC:

I do think automakers should be taking steps to make sure that information isn’t available to unauthorized access (secondary owners or used car dealerships, for example). Location and contacts are incredibly personal and sensitive, [and] I think it’s problematic to leave that information laying around. Specially given that unlike mobile phones, cars typically stay in circulation for decades.

We’ve got to treat these cars as computers on wheels and start wiping them before we sell them, as well as after they’re banged up, sitting in junkyards – even if their screens are shattered.

If we don’t do it, it sounds like nobody else will.