Tesla recently started retrofitting new media control units into some of its older models and hacker GreenTheOnly has found that a selection of the old computers have ended up for sale online and still have confidential user data stored on them.
The electric automaker offers a number of new computer upgrades for its vehicles. More specifically, Tesla Model S and Model X models built until March 2018 and fitted with the MCUv1 media control system and infotainment screen can be retrofitted with the improved MCUv2 featured as standard on Model S and Model X produced since March 2018.
The ‘ICE’ computers of Tesla Model 3s can also be replaced and upgraded if an owner decides they want to upgrade to the Full Self Driving package.
Read More: Tesla Starts Offering $2,500 Infotainment Upgrade For Older Model S And Model X Vehicles
Shockingly, many of the old media control units replaced exclusively through official Tesla Service Centers of the company’s Mobile Service have hit the web and are being sold. GreenTheOnly recently purchased a series of these old modules and found information regarding the “owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies,” all stored inside. The hacker added that Netflix session cookies allow hackers to take control of these accounts. In addition, he found Spotify passwords stored in clear text.
While investigating the matter, InsideEVs reportedly spoke to a source who claims technicians performing these retrofits are instructed to throw the old computers away or damage them before trashing them. GreenTheOnly adds that technicians have been told to hit the control unit with a hammer a few times before throwing it away, damaging the external parts but not necessarily the information stored within.
Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds.https://t.co/sCs7elRoyk
— green (@greentheonly) May 3, 2020
There are at least two ways to explain how these old control units are ending up online. One is that Service Centers are simply throwing them away and dumpster-divers are retrieving them while a second explanation could be that Tesla technicians are themselves are keeping and selling them to make a quick buck, likely without considering (or deleting) the personal data stored.
InsideEVs has worked alongside GreenTheOnly to purchase a handful of old media control units online, retrieved the stored personal data and contacted owners to see if they want the information destroyed.
Tesla has yet to comment on the ongoing issue. Expect to hear more in the future.