A set of Tesla infotainment data surprisingly sold on eBay. The users’ sensitive details came along a purchase of Tesla parts.
A researcher surprisingly discovered something unusual packed with the Tesla parts he purchased over eBay. He found that his acquired media control units (MCU) contained sensitive information from the electric vehicle company.
The researcher who uses the Twitter handler greentheonly revealed that he was able to access the information on the 13 MCUs he acquired. He suspects that the units were taken out from refurbished or repaired electric vehicles.
Based on the history trace, the 13 units had one last location in common. The MCUs all came from a Tesla service center before being retired for selling.
greentheonly believes that they were all removed by an authorized Tesla service center technician. His findings also proved that all the 13 units missed the standard operating procedure in proper disposal of sensitive data.
Tesla normally removes MCU
It is a normal practice for a Tesla service center technician to remove MCUs. It usually happens during repairs.
Another reason for media control unit removal is improving the autopilot. During the said process, the authorized technician takes out the MCU to give way to a more advanced device model.
However, there should be a proper way of disposing of the units’ sensitive contents. Tesla requires all removed MCUs to be sent back to the company.
Damaged units, on the other hand, are expected to be crashed. They should be hammered down to make sure that no sensitive data will be recovered before the unit gets disposed of.
In this case, the discovering researcher believes that there is some personnel in the service center who violated the rule. Instead of returning the units to the company, they sold the intact units containing sensitive information.
The researcher even suspects that the said employees just created an internal disposal or destruction report. He pointed out that there are salvage yards selling stuff like that.
Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds.https://t.co/sCs7elRoyk
— green (@greentheonly) May 3, 2020
greentheonly revealed that not all the 13 MCUs he acquired came from eBay. He said that he got the 12 from the online store and one he got from a friend. However, all of them were loaded with confidential information.
Inside the media control unit
Some of the MCU contents were phonebooks, hundreds of call log entries, home, and work locations. The researcher even discovered readable Wi-Fi and Spotify passwords. The units were loaded with Gmail accounts, YouTube, and Netflix session cookies. A list of recent calendar entries was in the units as well.
Tesla did not give any reaction to the incident yet. The company representative also has not responded to the email question on the company’s disposal policy.
Image courtesy of Bit Boy/Flickr