Tesla personal data oversight highlights autonomous vehicle data privacy issue

Few deny autonomous vehicles are the future of transport. So why is cybersecurity still not being prioritized?
4 May 2020

Tesla left the doors open. Source: Shutterstock

  • Whitehat hacker GreenTheOnly discovered resold Tesla units containing previous owners’ personal data
  • Suggesting a market-leader is overlooking cybersecurity, the issue is a concern for the future autonomous vehicle market

For a real idea of how autonomous vehicles will function, we only have to look at Tesla.

Packed with sensors, advanced Autopilot software, and “thinking algorithms,” these vehicles are driven by next-gen computing systems, and demonstrate how data has become the fuel of the next stage in transportation. 

Far outpacing AV rivals, hundreds of thousands of Tesla vehicles have been gathering data for years. Ranging from maintenance information, visual identification to driver behavior – this data is pumped back into the cloud, all of which can help Tesla develop more advanced cars, and taking them to further levels of autonomy. 

McKinsey and Co estimated there that vehicle-gathered data will be worth US$750 billion a year by 2030. When you look at the firm as a vehicle data company, then, Tesla stock price probably isn’t too high ‘IMO’

But the autonomous vehicle market’s reliance and generation of massive amounts of data comes with a familiar worry, data privacy – and that very issue’s validity has been highlighted this week. 

Evidence has emerged that Tesla doesn’t routinely erase personal data from replaced components, with the discovery of Tesla computer units being sold on eBay with previous owner’s personal data still accessible on them. The units were discovered by white hacker GreenTheOnly and suggest owners who have had their car retrofitted with new hardware could be the victim of a personal data breach. 

Not only that, Tesla reportedly failed to immediately notify those customers who may have been affected. 

Most of the data found to be accessible related to vehicles’ infotainment systems, including “owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.” Session cookies meant hackers could take control of accounts. 

It also shows a lack of consideration to customer data protection by a leading autonomous vehicle company, and highlights that cybersecurity is still being overlooked or not sufficiently prioritized. 

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), told TechHQ that limiting data access and ensuring stored data is deleted during customer replacement is “a high priority” for the automotive industry as we move into a world where connected cars are the norm. 

Businesses and consumers need to recognize that, just like with laptops, any piece of software is capable of collecting personal data. The more sophisticated and connected the device, the greater the potential for it to contain logs and settings which could place the consumer at risk when the device is resold or recycled,” Mackey said. 

“With cars becoming ever more connected and offering increasing information to drivers and passengers, manufacturers like Tesla, dealer networks supporting any manufacturer and neighbourhood mechanics are in a position to access the personal information stored within the multitude of computers within a modern vehicle.”

Last year, a paper called Counter-Mapping the Spaces of Autonomous Driving, from Dartmouth College author Luis F. Alvarez León argued that the “massive commercialization” of autonomous vehicles has vast potential to provide us with new data sources as a way to improve our society. 

“Self-driving cars have the potential to transform our transportation network and society at large. This carries enormous consequences given that the data and technology are likely to fundamentally reshape the way our cities and communities operate.”

However, he warned that this data could remain closed in manufacturer’s “black boxes”.  

“We don’t know who can see the data, appropriate it or profit from it. With insufficient government regulation of data from self-driving cars, this raises significant concerns regarding privacy, security and public safety,” said León. 

“If we’re going to adopt self-driving cars, then we should really make absolutely sure that they are as secure as they can be,” he continued. “This requires input from parties outside of the corporations who are building those very systems, such as government, advocacy groups and civil society at large.”