It can be easy to forget how much personal data we share with the various technologies geared at streamlining our lives, be they voice assistants, smart home devices, or the phones we carry with us virtually everywhere. And if you own a car, that may go for your ride too.
According to a report from CNBC, Teslas, in particular, are packing around a ton of unencrypted data that can be tapped into with the right knowledge of how to access it, especially when one of its cars is re-sold or totaled. CNBC spoke with two white-hat hackers identified as Theo and GreenTheOnly who purchased a wrecked Model 3 last year and were able to demonstrate the extent to which personal data can be extracted from the car.
CNBC said the researchers were able to pull not only information identifying the Boston-area construction company that owned the car, which was reportedly used by people who worked at the company, but also data that was linked to “at least 17 different devices.” The researchers also pulled videos of two of the Model 3's accidents—including the one that totaled the car—as well as the information of the contacts of passengers and drivers who had paired their phones with it.
As CNBC noted, that such data is accessible to those who know how to find it raises questions about the company’s policies for protecting user data. Reached for comment, a company spokesperson provided the same comment to Gizmodo that it did to CNBC, pointing to what it described as options for maintaining privacy. Those include “a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet.”
The spokesperson added that the company is “always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers.”
To be clear, it’s not just Teslas that pack around this kind of sensitive data, even if Tesla is collecting and storing more than most. And it’s definitely not just totaled or re-sold cars either, as evidenced by a 2017 report from Privacy International. The UK-based human rights- and privacy-focused charity found that after surveying a number of popular rental firms, the onus largely fell on individual riders to ensure that they deleted their data from a rental car to ensure it wasn’t being stored.
The Federal Trade Commission has likewise warned as recently as August that consumers should consider what data they’re leaving behind before selling or donating their vehicles. FTC Consumer Education Specialist Colleen Tressler wrote in a blog post last year that wiping a vehicle of personal data goes beyond just a factory reset, and it’s important to ensure you’re disconnecting from services and features as well.
At the very least, CNBC’s report is a good reminder to be mindful of how and where we share our information, and that even pairing your phone for entertainment purposes can come with some risks.