How Tesla’s total sales of parts in the US came back online in Ukraine

A Tesla Model X that was collected in the US late last year was suddenly back online and began sending notifications to the phone of its former owner, CNBC executive editor Jay Yarrow, months later.

Suddenly a car or her computer is online in a war-torn south UkraineHe found it by opening his Tesla app and using the geolocation feature. New owners in Ukraine discovered that they use the still-connected Spotify app to listen to Drake Radio playlists.

When Yarow posted about it on social network X, formerly Twitter, his post went viral, and followers wanted to know why this was happening and if it was a security risk.

According to CTO at auto security company Canis Labs, Ken Tindell, there can indeed be a security risk with restored cars.

He explained in an email to CNBC, “Obviously, the credentials for Internet services are left in the car’s electronics and then can be used by whoever gets the electronics.” He added, “In general, it’s possible to get data from working electronics — it’s just a matter of how much effort it takes.”

He said this is not an issue specific to Tesla. Cars, like laptops, smartphones, and even refrigerators and televisions, are now internet-connected devices that can store personal data.

“I think it’s essential that dealers and owners broadly understand that there is an issue with in-vehicle private data,” Tindle said.

How did the car end up in Ukraine?

CNBC found that after the car was collected, online auction site Copart put it up for sale, according to the site’s listings. company that currently It has more than 1600 tesla The vehicles, which are up for sale, are connected to salvage yards across the US, including one in New Jersey where the car ended up.

Copart specializes in damaged or scrapped vehicles that carry what’s called a “salvage title,” and it’s issued when an insurance company declares it a total loss, warning future buyers that there’s a major problem. Copart sells more than 2 million vehicles annually, and operates in 11 countries, according to the company’s website.

Such vehicles cannot legally drive on US roads, but some countries are not as strict.

“Cars go to the repair shop or the junkyard and then find their way to another market and then suddenly get shipped overseas,” said Mike Dunn, a former General Motors international executive who is now CEO of automotive consulting firm ZoZoGo.

This practice has been going on for decades and has accelerated with the advent of digital auctions, according to Stephen Lang, auctioneer and founder of Used Car Marketplace. 48 hours and a used car.

“Starting in the 2000s, the digital auction site took over. So now you can have someone in Ukraine bid on it. And then someone else from Norway bids on it…and you don’t even touch a US border or a US bidder,” he said. Lang, who has been in the auto auction business for over 24 years.

“Virtually all the vehicles collected will end up at auction for damage,” he said.

An online auction site that specializes in such sales estimated that the winning bid for the car would be between $27,400 and $29,400. The final sale price was not immediately known. Neither the salvage yard nor Copart immediately responded for comment on the vehicle and who purchased it.

The Tesla support team told Yarow that he should disconnect his car from his account, and provide the following instructions via email:

Tesla didn’t tell him how he was supposed to get the new owner’s information because he hadn’t sold the car.

According to Canis Labs CTO Ken Tindell, separating a person’s account from a bundled vehicle can help prevent others from using apps that are connected, like Spotify in the case of Yarow. However, data can still be extracted from the vehicle’s total electronics.

“What is the flight history and phone book of a celebrity worth to a blackmailer or kidnapper?” Tintel asked.

He and other security experts compared the case of an Apple laptop being stolen. In some cases, Apple can remotely wipe your laptop or device when connected to the Internet. But “a malicious repair shop can take out the hard drive and copy all the data from it before throwing away a broken laptop.”

This is why Apple routinely encrypts its hard drives, the CTO noted. “It is the only way to prevent data theft by someone who has physical access to a device that is not connected to the Internet.”

Ideally, a company like Tesla would have “a portal where the user could log in with online credentials and say ‘remove all my information, then disconnect my car from the account, and it would be Able to issue a remote wipe command for the car when it connects to the internet, deleting it all including GPS, saved locations and the rest. “

However, he said, owners can be their own “personal risk police,” avoiding giving out their used vehicles or rental cars too much personal information.

“Always purge your data after you’re done using the car and try not to share more information with the car than you absolutely need to share,” Ahner recommended. “If I pair my phone with the car I rent or own, I don’t allow it to sync location and contacts. I only give it access via Bluetooth to talk over the top of my music and so I can stream any music streaming app I like.”

An automotive white hat hacker with the handle Green the Only has been sounding the alarm about data on cars for years. “All the phone book and calendar stuff might be valuable,” he said.

Once possession of the car’s computer or car is changed back online, he says the previous owners “can’t do much.” One problem is that the old owner can “charge for supercharging,” and other items from Tesla — or other automakers — might sell on a subscription or pay-per-charge basis. They can always apply to Tesla to remove the car from their account, but that’s it.

Green the Only agreed with Tindell and Ahner – Tesla “maybe they can add a ‘remote wipe then remove from my account’ in addition to the ‘remove from my account’ option they have now. They probably should have added that a long time ago.”