A Tesla Model X car sold in the United States for parts late last year suddenly returned to the Internet and began sending notifications to the phone of its former owner, CNBC executive editor Jay Yarrow.
Fullstack Web Development course. Have development skills on both front-end and back-end. Companies are waiting in line for such specialists! Get information about the course
Using the geolocation feature in the Tesla app, Yarow discovered that the car’s alerts were coming from the south of Ukraine. He also noticed that the new owners were using his Spotify app, which was still connected at the time, to listen to Drake’s albums.
The story’s publication in X instantly garnered millions of views, and users began to wonder how this could have happened and what the consequences were.
Here’s an unusual situation. I had a Tesla, crashed it, it was totaled. And now it’s… in Ukraine? And someone out there is listening to Drake on my, still logged in, Spotify account. pic.twitter.com/ymW2psyvz6
– Jay Yarow (@jyarow) August 10, 2023
Ken Tindell, CTO of automotive security firm Canis Labs, says that reassembled cars can actually pose a security risk, as credentials remain in the electronics and can be used by those who purchased them.
However, the problem is not specific to Tesla. Similar situations can happen with any car, as they, like laptops, smartphones, or TVs, also have an Internet connection and can store personal data.
“Dealers and owners need to understand that there is a problem with personal data in cars,” Tindell said.
An American sold a Tesla Model X for spare parts – a few months later, the car suddenly went online in Ukraine
How did the car end up in Ukraine?
After the car was written off, it was put up for sale on the online auction site Copart, according to CNBC. The site currently features more than 1,600 Tesla vehicles from scrappage centers across the U.S., including New Jersey, where Yarrow’s car was found.
Copart specializes in damaged or reassembled vehicles that have a “salvage title” – it is issued when an insurance company declares a total loss, warning future buyers of serious problems. The auction sells more than 2 million cars a year and operates in 11 countries. In the United States, such cars cannot be driven legally, but in Ukraine, the rules are not so strict.
“Almost all of the vehicles that are reassembled will go to a used car auction,” said Stephen Lang, auctioneer and founder of the 48 Hours And A Used Car marketplace.
One of the online auction websites that specializes in such sales estimated that the winning bid for such a car would be between $27,400 and $29,400. The final sale price of the Tesla Yarrow is not known – neither the scrap yard nor Copart answered questions about the price and who bought the car.
What can owners do after the fact?
Tesla support staff told Yarrow that he had to disconnect the car from his account, offering further instructions via email:
- Open the Tesla app. Tap the profile icon in the upper right corner
- Tap Add/remove products > Delete > Vehicle
- Select the VIN number, and then click “Get started”
- Enter the vehicle and sale details, and then click “Next”
- Enter the information about the new owner, and then click “Next”
- Enter the security code from the email, then click “Confirm”
- Send a request by clicking “Delete vehicle”
- Reminder: if you are asked if you have sold your car, click yes.
According to Tindell, disconnecting an account from a vehicle can prevent other people from using apps that have been connected, like Spotify in Yarrow’s case. However, the data can still be extracted from the vehicle’s overall electronics.
Warren Aner, an automotive cybersecurity veteran, said that ideally, a company like Tesla would have a portal where a user could log in with online credentials and request that the information be deleted and the car disconnected from the account. However, owners should control what data they provide to vehicles themselves.
“Always delete your data after you sell your car and try not to share more information than you need to. If I connect my phone to my car, I don’t allow it to synchronize my location and contacts. I only give it access to Bluetooth to listen to music, and so I can use any music streaming app I like,” says Aner.