One of the researchers who uses the pseudonym GreenTheOnly told CNBC that he managed to extract all sorts of data from salvaged Model X, Model S and Model 3 cars in the past. To take a closer look at what Tesla computers can reveal, he teamed up with another white hat hacker named Theo and purchased a totaled Model 3 late last year for research purposes.
The result? They found unencrypted information from at least 17 different devices, including the number of times they were paired to the vehicle, as well as 11 phonebooks' worth of contact information. The researchers also found calendar entries with descriptions of planned appointments, along with the e-mail addresses of those invited. In addition, they unearthed the 73 last locations (and navigation information) the car went to and even successfully extracted the video of the crash itself.
The fact that the automaker doesn't automatically delete such information could be a double-edged sword. Yes, it could be helpful for investigators, but someone with the technical knowledge can hack into a salvaged or a reconditioned Tesla's computer and extract data. They don't even have to worry about having to break any kind of encryption.
A Tesla spokesperson told CNBC:
"Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."
Those options, however, might not be enough. A former employee from at least one automotive auction company that Tesla uses to recondition used cars admitted that they don't factory reset the vehicles they sell. And as the researchers proved, it's possible to extract information from cars that go to the junkyard after a crash. If owners try to modify their cars' software on their own, they risk getting software updates much later than everyone else. Apparently, the company flags owners as hackers if they modify or even analyze their vehicle's system.
The Chief Security Officer at BugCrowd, which manages Tesla's bug bounty program, explained to the publication that the company can't just wipe cars automatically. There "could be a forensic need to contain and retain the data," he said. "But I would think that what they will want to work on is a way to have all that stored data encrypted, as it would be on your cell phone," he added.