By on April 1, 2019

As cars grow more dependent upon computer-controlled driving aids and automakers implement permanent internet connectivity, we’ve grown increasingly concerned with how automakers handle their customer’s data.

It sounds conspiratorial, but there’s a series of events to hang the tinfoil hat on. In 2017, General Motors announced it had successfully monitored the listening habits of 90,000 motorists in a study aimed at improving marketing insights. It also rejiggered OnStar and introduced the Marketplace app for seamless in-car purchasing options. Our take was that it was as impressive as it was ominous — and GM is only leading the charge into a what analysts believe will eventually become a multi-billion dollar industry.

Naturally, this led to privacy concerns over how automakers will protect customer data on future models. But we might want to start worrying about the cars we have now. A couple of white-hat hackers (those are the good ones) recently probed the internal computer networks of wrecked and salvaged Teslas and found a mother lode of personal information waiting inside.

According to a report from CNBC, GreenTheOnly and fellow hacker Theo, a Tesla proponent who has repaired hundreds of wrecked Teslas, purchased a wrecked Model 3 for research purposes in 2018. During their time with the vehicle, the pair found it was owned by a Boston-area construction company and had held onto unencrypted data from at least 17 different devices.

From CNBC:

Mobile phones or tablets had paired to the car around 170 times. The Model 3 held 11 phonebooks’ worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited. (CNBC called and e-mailed several of the people who had paired their phones to the vehicle to verify their information was authentic.)

The data also showed the drivers’ last 73 navigation locations including residential addresses, the Wequassett Resort and Golf Club, and local Chik-Fil-A and Home Depot locations.

The car also stored the crash data, which included video footage from months prior. This allowed the hackers to pair the iPhone in use at the time of the wreck to a relative of the founder and chairman of the company that owned the Model 3. They even had the call logs and could tell that a family member had contacted the driver moments before the crash.

GreenTheOnly claims to have been able to yank similar data off other salvaged Teslas, saying he has amassed a small fortune off Tesla’s bug bounties. However, as willing as the company is to pay good-natured hackers to find flaws in its software, it’s also very protective of the data it collects. Tesla has gone to court to avoid handing the information over to customers. In fact, owners without hacker know-how have to purchase proprietary cables and software from the manufacturer just to get basic information out of the vehicle.

It’s also clear that the data is not being automatically erased in the event of a crash or after a change in ownership. But Tesla claims it’s on it.

“Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet,” explained a Tesla spokesperson. “That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”

Admirable, but we already know that a large swath of motorists don’t understand all the features in their car. And that’s not likely to improve as automobiles become increasingly complicated. There will always be a subset of drivers who won’t understand how to protect stored data or even care to learn how.

GreenTheOnly and Theo noted that Tesla cameras can record while the car is parked, and that there’s no way for an owner to know when they might be doing so. The cameras enable features like “sentry mode” and trigger the car’s automatic wipers. “Tesla is not super transparent about what and when they are recording, and storing on internal systems,” GreenTheOnly explained. “You can opt out of all data collection. But then you lose [over-the-air software updates] and a bunch of other functionality. So, understandably, nobody does that, and I also begrudgingly accepted it.”

While Tesla found itself the focus of the hackers’ research, data protection is an issue that isn’t likely to be isolated to a single manufacturer. Several large automakers are already in the process of finishing data storage centers and deciphering how to best monetize information as cars grow increasingly connected to the internet. Meanwhile, the European Union voted in 2018 to make all telemetry data copyrighted by the automaker — which includes information accrued via a vehicle’s navigational systems — and China is pushing for the full-time monitoring of all new alternative-energy vehicles.

[Image: Tesla]

Get the latest TTAC e-Newsletter!

18 Comments on “Wrecked Cars Are Now a Treasure Trove of Personal Information...”

  • avatar
    SCE to AUX

    No doubt the mfrs will say that since every owner of a smart phone surrenders their privacy daily, this is no different.

    Wrecked cars do present an interesting use case, because it’s unlikely the users can (or will) take the time to erase their data from the car. Even if they did, that data likely lives in the mfr’s data cloud anyway.

    • 0 avatar
      Master Baiter

      “…every owner of a smart phone surrenders their privacy daily, this is no different.”

      There is one smartphone company that doesn’t:

      1. Sell or otherwise mine your personal data.
      2. Push you advertising.
      3. Junk up your phone with adware.
      4. Compromise your security, much to the chagrin of the U.S. intelligence agencies.
      5. Have the ability to unlock your phone via back doors etc.

      • 0 avatar

        “There is one smartphone company that doesn’t:”

        All true, except probably not the one you are thinking of. Even that company doesn’t allow you to own your phone and control your data.

        Here’s the only smartphone company – Purism – that TRULY doesn’t do those things:

  • avatar

    “mother load”?? Are you morphing into an adult entertainment site or something?

    • 0 avatar

      you’ve never heard that expression before? it’s actually “mother lode,” but it’s not skeevy in the slightest.

      moth·er lode
      noun – MINING
      1. a principal vein of an ore or mineral.
      2. a rich source of something. “your portfolio holds a mother lode of opportunities”

      • 0 avatar

        I think he was making the point (and joke) that the spelling mistake was due to the writer thinking with his baby maker.

        “But then”, he said, switching to his stand-up comedian voice, “in that case, shouldn’t it really be called the ‘father load’?”

        “Thank you! I’ll be here all week. Be sure to tip the veal and try your waitress.”

  • avatar

    I understand and expect modern invention to make our lives better every day.
    In the case of car to car awareness and updates, these are gonna happen.
    What I don”t understand about Tersla updates is why can’t the owner be notified of updates and opt in or out? Why does the system need to be constantly interacting with the mothership?

  • avatar

    You don’t need a Tesla or similar to be spied upon. Google emails me monthly with a history of where I’ve been during the past month. *Right now* I suppose it’s harmless enough for me not to want to turn (or try to) everything off on my smartphone. BUT, stuff like this makes me glad my car is not connected, though who knows what’s going on inside the car’s ECU and other computers.

    • 0 avatar

      I do not own, and never will own, a car that collects personal data or a smartphone. (Yes, I drive older models. No Onstar. No touchscreen. No GPS. Just enough CPU power to run the engine and not much else.)

      It’s nobody’s business where I go, what I listen to on the radio, or what I spend my money on. They can stuff the “connected car” as far as I’m concerned.

      • 0 avatar

        +1 It’s inevitable that my next vehicle (either a ’17+ Grand Cherokee, 300 or Charger) will no doubt contain all sorts of doodads that my ’13 200 doesn’t have, but I just won’t use most of them. Fortunately, those cars still aren’t as whiz-bang as a Tesla.

  • avatar

    OnStar knows more about you than you might realize.

    Many current production models know a lot about that collision you just had.

  • avatar

    I will never own a car that receives OTA software updates. Not that I have anything to hide, but it’s more of a concern of introducing many vectors of vulnerabilities which could prove dangerous. I’m quite content just bringing my car in to get its recommended software (firmware) updates. It seems to work fine doing it the old fashioned way. I had the firmware of my 62TE in my 200 updated for smoother shifts at lower speeds along with the BCM for an airbag recall.

    As for syncing my phone and all that good stuff, it just seems so unnecessary. I’m just the type of person who gets in the car, turns on some music, adjusts the HVAC to my liking and drive to my destination. I’ve used GPS enough to know that it is a frustration rather than something useful.

  • avatar

    Yay. Another benefit of owning a “primitive” car.

  • avatar

    All those who think the government is the big spy – Corporate America is the biggest enemy against your privacy. The feds don’t really give a damn. But give the Corporate Overlords a way to separate you from your money – the real reason to steal your information – and they will do it every time. Give customers some convenience features, link in heavy data mining, and block out functionality for those who “opt out” and you have a veritable treasure trove of unlimited data theft.

    Locate your airbag control module, and take it out in case of a wreck. Pull the fuse on Onstar-type devices. Of course, the automakers will then put something desirable on the same circuit to discourage such behavior.

  • avatar

    I must have missed the emails where all these companies asked my permission to use my data. There’s never been an OPT OUT button, merely OPT IN or you cannot use our latest digital whiz bang product or app. You is mine, pleb.

    Now we are all little corporate data gatherers working for THE MAN. Don’t cause any trouble, eat plenty of bad hamburgers at corporate drive-ins found on Google search, buy lots from Amazon, inform the world on your eating habits daily on Facebook as a social dimbulb and keep paying all those monthly rentier tolls without ever being late. And they’ll not bother you much. Hopefully. But no promises, serf.

    • 0 avatar

      You sign away the data rights when you buy the car. How many even notice, what with the 3-ring circus that tends to be part of the car-buying process?

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • ToolGuy: @dwford, You said: “I doubt finding parts will be an issue” after I said: “exactly zero...
  • ras815: Pitifully slow and…it’s a Buick.
  • ToolGuy: Hey, hey, hey. I suggest the two of you settle this like men, which I think in 2021 means: Get yourself a...
  • ras815: Again – you have a 2003 C70, right? It’s not even worth comparing the two generations of this...
  • MRF 95 T-Bird: I’m a Fiat 500 fan as well. If I needed an inexpensive commuter I’d buy one since they fit my 6’2”...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber