Wrecked Cars Are Now a Treasure Trove of Personal Information

As cars grow more dependent upon computer-controlled driving aids and automakers implement permanent internet connectivity, we’ve grown increasingly concerned with how automakers handle their customer’s data.

It sounds conspiratorial, but there’s a series of events to hang the tinfoil hat on. In 2017, General Motors announced it had successfully monitored the listening habits of 90,000 motorists in a study aimed at improving marketing insights. It also rejiggered OnStar and introduced the Marketplace app for seamless in-car purchasing options. Our take was that it was as impressive as it was ominous — and GM is only leading the charge into a what analysts believe will eventually become a multi-billion dollar industry.

Naturally, this led to privacy concerns over how automakers will protect customer data on future models. But we might want to start worrying about the cars we have now. A couple of white-hat hackers (those are the good ones) recently probed the internal computer networks of wrecked and salvaged Teslas and found a mother lode of personal information waiting inside.

According to a report from CNBC, GreenTheOnly and fellow hacker Theo, a Tesla proponent who has repaired hundreds of wrecked Teslas, purchased a wrecked Model 3 for research purposes in 2018. During their time with the vehicle, the pair found it was owned by a Boston-area construction company and had held onto unencrypted data from at least 17 different devices.

From CNBC:

Mobile phones or tablets had paired to the car around 170 times. The Model 3 held 11 phonebooks’ worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited. (CNBC called and e-mailed several of the people who had paired their phones to the vehicle to verify their information was authentic.)

The data also showed the drivers’ last 73 navigation locations including residential addresses, the Wequassett Resort and Golf Club, and local Chik-Fil-A and Home Depot locations.

The car also stored the crash data, which included video footage from months prior. This allowed the hackers to pair the iPhone in use at the time of the wreck to a relative of the founder and chairman of the company that owned the Model 3. They even had the call logs and could tell that a family member had contacted the driver moments before the crash.

GreenTheOnly claims to have been able to yank similar data off other salvaged Teslas, saying he has amassed a small fortune off Tesla’s bug bounties. However, as willing as the company is to pay good-natured hackers to find flaws in its software, it’s also very protective of the data it collects. Tesla has gone to court to avoid handing the information over to customers. In fact, owners without hacker know-how have to purchase proprietary cables and software from the manufacturer just to get basic information out of the vehicle.

It’s also clear that the data is not being automatically erased in the event of a crash or after a change in ownership. But Tesla claims it’s on it.

“Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet,” explained a Tesla spokesperson. “That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”

Admirable, but we already know that a large swath of motorists don’t understand all the features in their car. And that’s not likely to improve as automobiles become increasingly complicated. There will always be a subset of drivers who won’t understand how to protect stored data or even care to learn how.

GreenTheOnly and Theo noted that Tesla cameras can record while the car is parked, and that there’s no way for an owner to know when they might be doing so. The cameras enable features like “sentry mode” and trigger the car’s automatic wipers. “Tesla is not super transparent about what and when they are recording, and storing on internal systems,” GreenTheOnly explained. “You can opt out of all data collection. But then you lose [over-the-air software updates] and a bunch of other functionality. So, understandably, nobody does that, and I also begrudgingly accepted it.”

While Tesla found itself the focus of the hackers’ research, data protection is an issue that isn’t likely to be isolated to a single manufacturer. Several large automakers are already in the process of finishing data storage centers and deciphering how to best monetize information as cars grow increasingly connected to the internet. Meanwhile, the European Union voted in 2018 to make all telemetry data copyrighted by the automaker — which includes information accrued via a vehicle’s navigational systems — and China is pushing for the full-time monitoring of all new alternative-energy vehicles.

[Image: Tesla]