Tesla Cars Keep More Data Than You Think (cnbc.com) 57
Tesla vehicles sent to the junk yard after a crash carry much more data than you'd think. According to CNBC, citing two security researchers, "Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash." From the report: One researcher, who calls himself GreenTheOnly, describes himself as a "white hat hacker" and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. Many other cars download and store data from users, particularly information from paired cellphones, such as contact information.
But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."
The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."
The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.
But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."
The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."
The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.
I assume they keep everything (Score:4, Insightful)
Same as I assume for all new technology. Motion, video, voice etc. If it has a sensor, I assume its probably being recorded.
Re:I assume they keep everything (Score:5, Insightful)
Right? Fuck the editors who write these headlines, fuck their supervisors who don't fire them, fuck the submitter for including them, and fuck the /. editors for just rubber stamping shit like this.
No, they don't keep more data than I think. Honestly, I bet they keep less. I expect them to keep everything. Seat position. Temperature profile. Mirror positions. Then between the seat and mirrors they calculate my body size and keep that. And cross-reference the in-car camera that they take pictures of me with, and the seat firmness to gauge my weight. They've got my age and hearing nailed down, since they can cross-reference volume with the rest of my physical stats and get my BMI.
Eye-gaze tracking plus exterior cameras means they watch what I look at. Know my sexual orientation, what animals I like, and whether or not my eyesight is good enough to read signs. And what stores I visit.
Seriously, fuck these headlines. No. They don't keep more detail than I think. I'm a paranoid fuck who understands full well how much they have access to and what they could do with it. And they surprisingly seem to keep less and do less. I've spent like 2 decades hoping that /. could get a headline worthy of the audience, but I'm always disappointed.
"Dumbasses don't factory reset their Teslas, and leave a lot of personal info in them."
How hard was that?
Re: (Score:2)
"Dumbasses don't factory reset their Teslas, and leave a lot of personal info in them."
Maybe they aren't dumb, but just don't care.
If someone got all the data from my Tesla, the worst they would see is me picking my nose while I drive.
Why should I care?
Re: I assume they keep everything (Score:2)
Add to it that what you think is trivial is a goldmine for others.
That's why using a standalone gps and only pairing your phone for voice are key actions to consider.
Re: (Score:2)
Add to it that what you think is trivial is a goldmine for others.
Why should I care? What bad thing is going to happen to me if "they" know where I buy my groceries?
Re: (Score:2)
Perhaps they don't even know hat they could/should should delete the data.
Re: I assume they keep everything (Score:2)
Never assign to malice what can be explained by stupidity.
Most people do not realize the amount of data that is recorded about them. I learned the lesson hard in 1997when my college teacher compared emails between students to prove cheating.
It was then that I realized that my data was out there and freely shared unencrypted
I was about to sign up for a Facebook account in 2007 when I saw reports of people who "deleted" their account and when they reactivated it 2 years later had all the information still th
Re: (Score:3)
Maybe you assume everything is recorded all the time, but most people don't. For example, they don't assume that their phones are constantly recording video and making it available to Apple/Google/Samsung because even if that wasn't illegal in many places it would destroy the battery.
Tesla's "solution" to this is also entirely inadequate. You can factory reset the car... as long as it still works. If it gets smashed up or the screen breaks you are screwed.
This is an important issue as cars are only going to
Re: (Score:3)
Wow. You either didn't read or didn't understand my post. Since this seems to be hard for you, I'll try again:
Maybe you assume everything is recorded all the time, but most people don't.
My expectations are that most /. readers are not "most people", and thus Buzzfeed clickbait headlines designed for "most people" are inappropriate for this audience.
An article and/or headline making a statement regarding what I think is a lazy and condescending way to write. There is no reason to do it, and no value in communicating like that.
I expect journalists to be able to write better than tha
Re: (Score:2)
So what you're saying is that since you know the internals of a Tesla car's computer, you assume everyone here is as knowledgeable.
Personally, if I was that knowledgeable about the subject, I wouldn't have clicked the link.
Re: (Score:2)
No. That's not what I'm saying. Try reading it again.
Re: I assume they keep everything (Score:5, Insightful)
And why haven't we seen the same story written about BMW / Mercedes / Acura / Jaguar / Audi / Infiniti / etc. - guess what; they all store data on the car too, because we fucking ask the car to do that so the data is accessible to use in the car without having to connect your phone or re-enter it every single time.
It's kind of designed to do that, and any high-end car with a connectivity and navigation package will keep basically all of this except maybe the video.
If people don't know to wipe a device that makes use of personal data before handing permanent ownership of it off by now, then they just aren't paying attention.
And somehow we only hear about it when it's Tesla. You don't think it's a hot piece being placed by vested interests, do you?
Re: (Score:2)
"Dumbasses don't factory reset their Teslas, and leave a lot of personal info in them."
How hard was that?
You do realize that there could be situations where the computer is broken to the point where the owner cannot factory reset them yet they may still be in good enough shape that data can be extracted from the storage media, correct? You should never assume that the end user is able to factory reset. The data should be held encrypted on the device with something like a TPM that protects the encryption keys and requires a recovery key to be used once you remove the device from the car.
Another Tesla Smear article (Score:5, Interesting)
The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited."
Uh, ya pretty much any car from any manufacturer can be datamined like that. I travel a lot for work and rent cars frequently, and almost every time there's a trove of personal information from when a previous customer paired their phone to the rental. Call logs, text messages, phone books, you name it.
Re: Another Tesla Smear article- bullshit (Score:2)
Stock losses are only losses if you sell, or the company goes bust. Your short term thinking is what is wrong with the market.
Re:Another Tesla Smear article (Score:5, Informative)
Re: (Score:3)
Yep. Mix of not having access to the vehicle, and possibly the vehicle not being functional enough to do this without specialized know-how.
Also, right after you're in an accident you're probably not in "delete my browser history" mode. More than likely, top priorities are a) Am I and my passengers ok? b) Are the other people/things involved ok? c) Is my car totaled? Do I need to find a repair place or just buy a new one? d) Holy crap, I need to get home, I need a new car to drive now! ....h)Wait....did I le
Tesla, like Apple, generates the web hits.... (Score:3)
But agree with the people who say this is a garbage story. I mean, wow .... Users sync their car with their cellphone so it has a copy of their contacts and calendars, but are all surprised that data was still there if their car gets resold or wrecked and they don't erase it first? Ok ....
And yeah, a whole LOT of cars on the road today have a "black box" in them that keeps a snapshot of the last 10 seconds or so before a crash of exactly what the driver did. It may not have camera video, but info on the car's speed, steering, braking, etc. is sure stored there.
Anyone actually surprised they can look at data like a previous owner's GPS destinations is simply not even thinking. Especially with big auto auction houses, it's kind of unreasonable to demand THEY factory reset every car that comes in -- or heck, even just every Tesla that comes in. It's not their responsibility to protect someone else's data. It might even make a car worth a lot more money, if it's certifiably a celebrity of some kind who owned it last? People pay a lot for some weird things.
Re: Tesla, like Apple, generates the web hits.... (Score:2)
Who says that it should?
Maybe the owner doesn't want to wait for notoriously flaky car Bluetooth systems to decide to work before using that data, and it's their car and their data so they have a reasonable expectation that they can use both how they like?
People know to wipe laptops, phones, tablets, etc before selling them - why would they think a car that keeps your contact and location data would be any different?
How about a little personal god damn responsibility.
Re: (Score:2)
It's not their responsibility to protect someone else's data. It might even make a car worth a lot more money,
It most certainly depends on jurisdiction. I would assume that in Europe, everyone who commercially sells cars/used cars is obliged to "clean" them first from foreign private data.
It is perhaps a good idea to make sure anyway, before you sell a car (as a vendor) that it is in factory approved conditions?
It's a computer. (Score:5, Insightful)
Cars are computers. Just like any computer, if you don't wipe the data then it will retain the data as it's designed to do. The same is true of PC, HDDs/SSDs, tablets, smartphones, smartTVs, SD cards, USB sticks and really anything else with a FLASH memory.
The fact that people are surprised by this just shows that far too many people are ignorant of the fact that they are surrounded by computers.
Re: (Score:2)
Except here you can't easily wipe anything. Even if you wanted to destroy the flash would you know where to physically look? Does it all get stored in one place or in the separate modules? Don't forget that the cars are never offline either.
No they don't keep more data than "I" think (Score:1)
I assume they collect and keep information including not relevant to car, it probably has the wifi net names of everything within the range of the car
Re: Another reminder to not buy a Tesla. (Score:3)
Then don't buy any other car that talks to your phone via Bluetooth either.
This article only mentions Tesla for clickbait, but other manufacturers have been doing this for over a decade.
Don't be a tool.
Really? (Score:2)
""Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, "
Just like any other car as well. Computers in cars don't get wiped automatically just because you drive it to the scrap yard.
If you don't remove your sunglasses and wallet from the glove compartment they will also still be there.
Re: (Score:2)
Should encrypt the mass storage (Score:2)
Even simple symmetric XOR encryption is enough, if the key is individualized for each car. Unless the computer is still operational and you are able to step through and find the key in memory you can't hack it. And it is not that hard to do public-private keys too.
How to protect decryption when the car is totaled but the computer is still functional? That would be hard
Meanwhile Toyota .... (Score:2)
Of course, stock manipulation and 32 million shares shorted, valued at 7.5 billion dollars, has nothing to do with it.