Tesla boasts of having very secure cars at a computer level, so much so that on more than one occasion it has challenged hackers from all over the world to try to break their car systems. However, not everything is rosy and the American company has been involved in a problem that affects the privacy of its customers. A well-known hacker went to the online sales portal eBay, looking for electronic components from old Tesla, and has ended up discovering that they contained personal information from previous owners such as his home address, work address or WiFi password.

For some time, Tesla has changed the media control units (MCUs) of its cars to upgrade them and provide them with greater capabilities. This device is a kind of motherboard, a computer, which controls the infotainment system and stores the owner’s information related to the vehicle.

On older Model S and Model Xs, the MCU was replaced because the first generation of the device (MCUv1) used to fail after four to five years. However, it was later discovered that the new MCUv2 could also fail due to a problem in the flash storage chip, which could render the system unusable and force it to be replaced entirely (central display included).

The Tesla Model 3 and Model Y work differently, and the MCU is integrated with the processor that controls the Autopilot hardware, forming a set called ICE. This computer also needs to be upgraded on older cars if the vehicle owner decides to purchase the ‘full autonomous driving’ system. In cases where this component needs to be replaced, Tesla can replace it with an entirely new or reconditioned one. And this is when the problem comes: Both MCUv1 and MCUv2 and ICE are involved in a data privacy problem.

Computers used in the second-hand market … With the data of the owners

As is logical for a matter of convenience, most (if not all) owners want their personal data to be transferred to the new system, for which it is essential to use the old computer as a source. Once the original computer is removed from the vehicle, the owner no longer has the ability to erase his own data. The normal thing would be for Tesla to remove them entirely, but it doesn’t.

The well-known hacker GreenTheOnly, who on more than one occasion anticipates news about Tesla, recently discovered that some of these computers have ended up for sale on Internet portals. While this shouldn’t happen (we’ll explain why later), the biggest problem is that still contained personal and confidential data of previous owners.

Personal data such as home and work address; the phone number, contact book, and call history; and passwords of all kinds, from saved WiFi networks to passwords for email, Spotify, Netflix, YouTube, etc. According to the hacker himself, before bringing this information to light on InsideEVs, he contacted Tesla to inform him of the problem. There was no response from the company.

How did used parts get confidential information to eBay?

Surprisingly, the replacement of this component can only be done by Tesla itself, either in the Service Centers or through the mobile service. According to InsideEVs sources, the technicians who make these modifications are instructed to directly throw away the old computers, and apparently are ordered to physically damage them (with a hammer, for example) before throwing them away. However, breaking the hardware externally does not necessarily affect the information stored in the system, which remains recoverable, as has been demonstrated.

One of the unknowns to be solved is find out how these pieces have reached the second-hand market. Basically there are two hypotheses: on the one hand, that the Service Centers throw them directly in the trash and anonymous people have recovered them from the container; Or have Tesla technicians save these components and sell them later for extra money.

Not surprisingly, damaged MCUs cost less than ones that are in good repair. As the offer has increased, the prices on eBay have been decreasing from 500 to 150 dollars, so that more and more fans have been buying these computers to investigate and make forays into their system (they are practically useless for use in other cars) .

Since not everyone knows where to start, one of these buyers contacted ‘greentheonly’ for help and that was, almost by chance, that the problem was discovered. The situation must have seemed so strange to the hacker that he bought another unit for himself, to confirm if it was common to all. Indeed it was.

Tesla is silent

Following the discovery, InsideEV and GreenTheOnly jointly purchased several more control units, resulting in all personal data being retrievable. From the means of communication they contacted the owners from whom they could obtain their data, to inform them of the situation, to know their opinion about what happened and to confirm if they wanted the information to be destroyed.

They have also tried – again – to contact Tesla, but the company has not made any statement or provided any explanation in this regard.

What to do if you own a Tesla?

If the MCU or ICE of your car has not had to be replaced, you do not have to worry (at least for now, although when the time comes you will already be on notice).

If, on the other hand, at some point the MCU had to be replaced in your Tesla, it is recommended to change all the passwords that may be in the system.

