Tesla Model X Sells at Online Auction, Reappears in Ukraine Months Later
In a bizarre turn of events, a Tesla Model X that had been totaled in the United States last year suddenly came back online and started sending notifications to its former owner, CNBC executive editor Jay Yarow. The car, which was sold through an online auction site affiliated with a local scrapyard, was discovered to be in a Southern region of war-torn Ukraine through the geolocation feature on the Tesla app.
Even more surprising, Yarow found that the new owners in Ukraine were using his still-connected Spotify app to listen to Drake radio playlists. After sharing his experience on the social network X (formerly known as Twitter), the post went viral, with followers concerned about the security risk and why such a situation was even possible.
According to Ken Tindell, CTO of automotive security firm Canis Labs, there can indeed be a security risk with restored totaled cars. He explained that the credentials to internet services are often left in the vehicle electronics and can be used by anyone who gains access to them. Tindell also emphasized that this is not a Tesla-specific issue, as many internet-connected devices, including cars, can store personal data.
The vehicle’s journey to Ukraine raises questions about how it ended up there. After being totaled, the car was listed for sale on the online auction site Copart, which specializes in damaged or totaled vehicles with salvage titles. While such vehicles cannot legally drive on U.S. roadways, they can be sold to buyers in other countries with less strict regulations.
Mike Dunne, a former General Motors international executive who now serves as CEO of auto consulting firm ZoZoGo, explained that this practice of damaged vehicles being shipped overseas has been going on for decades and has been accelerated by the rise of digital auctions. Vehicle auctioneer and used car marketplace founder Steven Lang added that virtually all totaled vehicles end up at salvage auctions.
The winning bid for the Tesla Model X in question was estimated to be between $27,400 and $29,400. However, it is unclear who bought the vehicle, as neither the salvage yard nor Copart immediately responded to comment on the matter.
Tesla support staff advised Yarow to disconnect his car from his account to prevent others from using connected apps, such as Spotify. However, Tindell pointed out that even if the account is disconnected, data can still be extracted from the vehicle’s electronics. This raises concerns about the potential value of personal data stored in vehicles, especially for high-profile individuals.
Security experts likened the situation to having a stolen Apple laptop. Apple has the ability to remotely wipe the device clean, but if someone gains physical access to the offline device, they can extract the data before scrapping it. Tindell emphasized the need for vehicle owners and dealers to be aware of the issue of private data within the vehicle and take appropriate measures to protect it.
Warren Ahner, founder of RightHook and an automotive cybersecurity veteran, suggested that companies like Tesla should provide a portal where users can easily remove their personal information and issue a remote-wipe command to the vehicle when it comes online. However, he also advised owners to minimize the amount of personal information shared with their vehicles and to purge data after use.
As the automotive industry becomes increasingly digitized, the need for robust cybersecurity measures becomes crucial. Experts are urging both vehicle manufacturers and owners to take steps to protect personal data and prevent security breaches in the future.