Security Researchers Find Tesla Model 3 MCU Stores Personal Data Even After Reset
A security researcher that goes by GreenTheOnly on Twitter recently shared some information that impacts some of the most popular Tesla vehicles. According to Green, some Tesla hardware currently being sold on eBay retains a significant amount of personal information from previous owners even after a reset. The parts the security researcher tested include a Tesla Model 3 integrated media control unit (MCU) and Autopilot (HW) units.
The MCU and HW units for a Model 3 along with a Model X MCU unit were acquired from eBay. All three of the units had been reset, but the researcher found that a slew of private owner information, including passwords, were still easily recoverable from the units. Among the private data that Green found stored on the Tesla hardware were screenshots of the display captured and stored on eMMC each time the Model 3 wakes up. The last 50 snapshots were stored on the device.
The most concerning data found on the hardware included the owner's home and work location, saved Wi-Fi passwords, calendar entries from their phones, call lists, address books from paired phones, Netflix details, and other stored session cookies. Green noted that the prices for Tesla hardware have come down, leading more security researchers to get their hands on it for testing. Lower prices could lead hackers to acquire the hardware to steal personal data.
Interestingly, the Model X MCU acquired for testing had been physically crushed, presumably by the accident that totaled the vehicle leading to its hardware being for sale on eBay. Despite being physically crushed, the data was still recoverable from the device. The Spotify password stored on the hardware was stored as plain text. Netflix and Gmail passwords were stored in cookie format that could be exploited by hackers.
Green hopes the research findings will encourage Tesla to encrypt data on its hardware. These are significant security holes for an automaker who has sponsored events challenging hackers to find flaws and exploits in its vehicle systems. In March, a security researcher was able to execute a hack that disabled autopilot notifications, the speedometer, climate controls, and more. The hacker said the vulnerability he discovered impacts all Model 3 vehicles running software version 2020.4.10 or older.