Last year, CNBC's executive editor Jay Yarow's Tesla Model X, which had been totaled in the U.S., suddenly reactivated itself and started sending notifications to his phone months later. Examining the Tesla app, he was able to identify where the car was via a geolocation feature - a region in southern Ukraine that is currently in the midst of a conflict. Apparently, it had been sold through an auction site connected to a scrapyard in the area.
Late last year, a U.S. Tesla Model X that was totaled suddenly came back online and started sending notifications to the phone of former owner, CNBC executive editor Jay Yarow. Upon opening his Tesla app, Yarow was able to find out that the car was located in a region of war-torn Ukraine. Even more surprising, the new owners were tapping into his still-connected Spotify app to listen to Drake radio playlists. Yarow's post about this on the social network X (formerly known as Twitter) went viral, prompting followers to question the security risk of this situation.
Ken Tindell, the CTO of automotive security firm Canis Labs, explained in an e-mail to CNBC that there is indeed a security risk with totaled cars that are restored since the credentials to internet services are still in the vehicle electronics. Tindell further noted, "In general it's possible to get data out of working electronics — it's merely a question of how much effort that takes." He went on to explain that this isn't a Tesla-specific issue, as it applies to laptops, smartphones, refrigerators, TVs, and all other internet-connected devices that can store personal data. He concluded by emphasizing that dealers and owners need a better understanding of the issue of private data that is secured in the vehicle.
CNBC discovered that after the car was declared a total loss, it was advertised for sale on Copart, a worldwide online auction site associated with salvage yards in the US. Copart deals with "salvage title" cars, which are not permitted on US roads, but drivers in other countries are not so restricted. Mike Dunne, former GM international executive and CEO of auto consulting firm ZoZoGo, said the trend of shipping secondhand vehicles overseas has accelerated together with the increasing popularity of digital auctions. Steven Lang, auctioneer and founder of 48 Hours And A Used Car, added that such vehicles normally appear on digital auction sites, allowing buyers from anywhere to purchase them. According to one online auction website, the suggested winning bid for the totaled car would be between $27,400 and $29,400. It is uncertain who bought the car and Copart did not offer any comment.
Tesla support staff instructed Yarow to disconnect his car from his account, giving him a set of steps to do so. They didn't provide any guidance for obtaining the new owner's information, as the car had not been sold.
Ken Tindell, CTO of Canis Labs, pointed out that removing one's auto from an account can stop other apps from using the data, like Spotify did in Yarow's case. Unfortunately, data can still be retrieved from the crashed vehicle's electronics. Tindell questioned what a celebrity's travel history and contacts would be worth to a kidnapper or blackmailer.
A similar situation to this is when an Apple laptop is stolen. Apple attempts to remotely wipe the laptop but a malicious repair shop can still remove the hard drive and duplicate all the data from it. To prevent this from happening, Apple normally encrypts its hard drives. Warren Ahner, founder of RightHook and an automotive cybersecurity expert, said companies should have a portal for customers to sign in and remove their data and disconnect their vehicle from the account, as well as the ability to send a remote-wipe command.
Ahner suggested that individuals should take security into their own hands. Be careful about giving vehicles too much personal info and clear the data after usage. Green the Only, an automotive white hat hacker, added that although a past owner cannot do much, they could still accrue charges for services they are not using, like Supercharging. They can only submit a request to Tesla to have the car removed from their account. Green the Only mentioned that Tesla should have added a "remote wipe and then remove from my account" feature a long time ago for optimal safety.
top of page
bottom of page
Comments