There is evidence that Tesla did not purge user personal information from the replaced parts, and that the parts were "streamed" for sale online.
Image: replaced Tesla parts or leaked user information
According to white-hat hacker GreenTheOnly, Tesla's media control unit and Autopilot hardware modification division, don't do enough to protect users' personal information.
GreenTheOnly purchased four media control units and Autopilot hardware on eBay, where it found personal information about previous users. Even more worrisome is Tesla's response to the matter.
According to GreenTheOnly, he informed Tesla of his findings before reporting them to InsideEVs. Surprisingly, however, Tesla refused to notify all customers who might be affected in a timely manner, saying only that it would notify one of its customers.
GreenTheOnly disclosed to InsideEVs that all of the hardware he purchased contained "user's home and work addresses, WiFi passwords from their phones, schedule entries, call logs, contacts, Netflix, and other services' cookies, which enable hackers to control these accounts.
Image: Two types of components that can leak a user's personal information
The components in question include the Media Control Unit for Model S and Model X, and the ICE for Model 3. In Model S and Model X, the Media Control Unit and Autopilot hardware are independent of each other; in Model 3 and Model Y, the two components are combined into one, called ICE.
While Tesla claims that models built after April 22, 2019 are equipped with HW 3.0 components, many Model 3s built after that actually come with a lower version of HW, and these users will need to replace the ICE if they want to enjoy full autopilot capability.
GreenTheOnly says, "These parts range in price from $500 to $150 on eBay, and more and more people will buy them for research purposes. They won't be replaced in other cars because it's not easy. After I was approached to help extract the stored data, I became aware of the problem and then purchased a widget from eBay that confirmed the claims."
CNBC's March 2019 news release, citing GreenTheOnly, said the salvaged Tesla car still has data stored. Tesla responded at the time by saying that users could use the factory settings option to erase sensitive data stored in the car.
Users can only replace these parts through Tesla. Users often want to transfer personal information to new parts, so Tesla uses old parts installed in cars to transfer information to new parts. Once the old part is removed from the car, the user cannot erase the data in it.
According to Tesla's policy, replacement parts do not belong to the user. Sources online say that it costs users $1,000 to keep the replacement parts.
Under Tesla policy, replacement parts are first destroyed and then disposed of as scrap, which is why GreenTheOnly purchased the destroyed media control unit.
Image: vandalized Tesla media control unit parts
GreenTheOnly said, "The information I've learned is that the staff hits the replacement parts with a hammer several times before they are disposed of as scrap. Obviously, it's not enough to destroy the data. I've even seen such parts priced as low as $10. The parts that aren't damaged are more expensive, so I'm guessing that the Tesla staff has an incentive not to use a hammer to hit those parts."
GreenTheOnly warns that hackers can even tell which service center the parts were replaced by.
There are two explanations for why the replacement Tesla parts were sold online: one is that the service center did not destroy the replacement parts as required; the other is that the technicians sold them for profit. Or maybe it's a combination of both.
In fact, there's no need for Tesla to destroy the parts or charge customers $1,000, it's perfectly capable of wiping the data from them and selling them to other users as used products at a low price.
Tesla may see no value in re-selling these parts, but it can commission authorized stores to purge data and sell them. In addition to addressing privacy concerns, this approach is also more environmentally friendly than simply throwing it away.
GreenTheOnly says Tesla owners who have upgraded to HW 3.0 will need to change all passwords; Tesla owners who have not yet upgraded to HW 3.0 are advised to reset the onboard system before upgrading.
