In general, cars have become rolling computers that slurp up personal data from users’ mobile devices to enable “infotainment” features or services. Additional data generated by the car enables and trains advanced driver-assistance systems. Major auto-makers that compete with Tesla’s Autopilot include GM’s Cadillac Super Cruise, Nissan Infiniti’s ProPilot Assist and Volvo’s Pilot Assist system.
But GreenTheOnly and Theo noted that in Teslas, dashboard cameras and selfie cameras can record while the car is parked, even in your garage, and there is no way for an owner to know when they may be doing so. The cameras enable desirable features like “sentry mode.” They also enable wipers to “see” raindrops and switch on automatically, for example.
GreenTheOnly explained, “Tesla is not super transparent about what and when they are recording, and storing on internal systems. You can opt out of all data collection. But then you lose [over-the-air software updates] and a bunch of other functionality. So, understandably, nobody does that, and I also begrudgingly accepted it.”
Theo and GreenTheOnly also said Model 3, Model S and Model X vehicles try to upload autopilot and other data to Tesla in the event of a crash. The cars have the capability to upload other data, but the researchers don’t know if and under what circumstances they attempt to do so.
Tesla has a reputation as technologically cutting-edge and friendly to white-hat hackers.
For example, Tesla was the first auto maker to offer “over the air” updates to its cars. CEO Elon Musk shows up at cybersecurity gatherings like DefCon, to the delight of the “makers and breakers” of code who attend them.
The company is one of a handful of large corporations to openly court cybersecurity professionals to its networks, urging those who find flaws in Tesla systems to report them in an orderly process — one that gives the company time to fix the problem before it is disclosed. Tesla routinely pays out five-figure sums to individuals who find and successfully report these flaws.
Even in his PayPal days, CEO Elon Musk was an early proponent of this kind of crowdsourced security research, notes David Baker Chief Security Officer at BugCrowd, the platform Tesla uses to manage its own “bug bounty” program.
However, according to two former Tesla service employees who requested anonymity, when owners try to analyze or modify their own vehicles’ systems, the company may flag them as hackers, alerting Telsa of their skills. Tesla then ensures that these flagged people are not among the first to get new software updates.
Baker is sympathetic. He said: “Tesla does have to safeguard against those who would try to reverse-engineer their software, or engage in malicious hacking. And they can’t just wipe the car necessarily. These are computers. There could be a forensic need to contain and retain the data. But I would think that what they will want to work on is a way to have all that stored data encrypted, as it would be on your cell phone.”
WATCH: This Tesla owner got so frustrated waiting for repairs, he took matters into his own hands.