Connect with us

Published

2 years ago

on

The Tesla Motors Inc. Model X sport utility vehicle (SUV).

David Paul Morris | Bloomberg | Getty Images

A Tesla Model X totaled in the U.S. late last year suddenly came back online and started sending notifications to the phone of its former owner, CNBC executive editor Jay Yarow, months later.

The car or its computer was suddenly online in a Southern region of war-torn Ukraine, he found by opening up his Tesla app and using a geolocation feature. The new owners in Ukraine were tapping into his still-connected Spotify app to listen to Drake radio playlists, he also discovered.

When Yarow posted about this to the social network X, formerly known as Twitter, his post went viral, and followers wanted to know why this this happening and whether it was a security risk.

According to the CTO of automotive security firm Canis Labs, Ken Tindell, there can indeed be a security risk with totaled cars that are restored.

He explained in an e-mail to CNBC, “The credentials to internet services are clearly left in the vehicle electronics and then can be used by whoever gets hold of the electronics.” He added, “In general it’s possible to get data out of working electronics — it’s merely a question of how much effort that takes.” 

This is far from a Tesla-specific issue, he said. Cars, like laptops, smartphones, and even refrigerators and TVs, are now internet-connected devices that can store personal data.

“I think it needs to be more widely understood by dealers and owners that there is this issue of private data within the vehicle,” Tindell said.

Overseas demand for totaled Teslas

How did the vehicle end up in Ukraine?

CNBC found that after the car was totaled, online auction site Copart listed it for sale, according to website listings. The company, which currently has more than 1,600 Tesla vehicles listed for sale, is connected to salvage yards across the U.S., including one in New Jersey where the car ended up.

Copart specializes in damaged or totaled vehicles that have what’s called a “salvage title,” issued when an insurance company declares it a total loss, warning future buyers that there was a significant problem. Copart sells more than 2 million vehicles a year, with operations in 11 countries, according to the company’s website.

Such vehicles cannot legally drive on U.S. roadways, but some countries aren’t as stringent.

“Cars go to the repair shop or junk yard then find their way to a second market and then are suddenly being shipped overseas,” said Mike Dunne, a former General Motors international executive who now serves as CEO of auto consulting firm ZoZoGo.

The practice has been going on for decades and accelerated with the rise of digital auctions, according to Steven Lang, an auctioneer and founder of used car marketplace 48 Hours And A Used Car.

“Starting in the Y2K era, the digital auction site took over. So now you can have someone in Ukraine bidding on it. And then someone else from Norway bidding on it … and you haven’t even touched an American border or an American bidder,” said Lang, who has been in the vehicle auction business for more than 24 years.

“Virtually all of the vehicles that are totaled will end up at a salvage auction,” he said.

One online auction website that specializes in such sales estimated the winning bid for the vehicle would be between $27,400 and $29,400. A final sale price was not immediately known. Neither the salvage yard nor Copart immediately responded for comment about the vehicle and who bought it.

What owners can do after the fact

Tesla support staff told Yarow he should disconnect his car from his account, offering the following instructions via email:

1. Open the Tesla app Tap profile icon in top-right corner

2. Tap ‘Add/Remove Products’ > ‘Remove’ > ‘Vehicle’

3. Select the VIN, then tap ‘Get Started’

4. Enter the vehicle and sale details, then tap ‘Next’

5. Enter the new owner information, then tap ‘Next’

6. Enter security code from e-mail, then tap ‘Confirm’

7.Submit the request by clicking on ‘Remove Vehicle’

Reminder: If it asks if you sold the vehicle say yes.”

Tesla didn’t tell him how he was supposed to obtain the new owner information as he hadn’t sold the car.

According to Canis Labs CTO Ken Tindell, disconnecting one’s account from a totaled vehicle can help stop others from using apps that had been connected, such as Spotify in Yarow’s case. However, data could still be extracted from the totaled vehicle’s electronics.

“What would the trip history and phone book of a celebrity be worth to a blackmailer or a kidnapper?” Tintell asked.

He and other security experts compared the situation having an Apple laptop stolen. In some cases, Apple can wipe the laptop or device clean remotely when it comes online. But “a malign repair shop can take out the hard drive and copy all the data off it before scrapping a broken laptop.”

This is why Apple routinely encrypts its hard drives, the CTO noted. “It’s the only way to prevent the data being stolen by someone with physical access to an offline device.”

An automotive cybersecurity veteran and the founder of RightHook, Warren Ahner, said that ideally a company like Tesla would “Have a portal where a user can sign in with online credentials and say ‘remove all my info, then disconnect my vehicle from the account,’ and would be able issue a remote-wipe command to the car when it comes online, deleting it all including GPS, saved locations and the rest.”

However, he said, owners can be their own “personal risk police,” and avoid giving their vehicles or rental cars that they use lots of personal info.

“Always purge your data after you are done with the vehicle and try not to share more info with the car than you absolutely need to share,” Ahner recommended. “If I pair my phone with the car I’m renting or owning I don’t allow it to synch location and contacts. I only give it Bluetooth access to talk over the top of my music and so I can us whatever music streaming app I like.”

An automotive white hat hacker who uses the handle Green the Only has been sounding the alarm about data on cars for years. “All the phone directory and calendar stuff might be valuable,” he said.

Once a car or car computer has changed possession is back online, he says that the previous owners “can’t do much.” One problem is that an old owner can “accrue charges for Supercharging,” and other items Tesla — or other vehicle makers — may sell on a subscription or pay-per-charge basis. They can always submit a request to Tesla to remove the car from their account, but that’s it.

Green the Only agreed with Tindell and Ahner — Tesla “probably can add a ‘remote wipe and then remove from my account’ in addition to the ‘remove from my account’ option they have now. They probably should have added that long ago.”

Related Topics:
Continue Reading

Technology

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

Published

12 hours ago

on

February 23, 2025

By

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

A popular medical monitor is the latest device produced in China to receive scrutiny for its potential cyber risks.  However, it is not the only health device we should be concerned about. Experts say the proliferation of Chinese health-care devices in the U.S. medical system is a cause for concern across the entire ecosystem. 

The Contec CMS8000 is a popular medical monitor that tracks a patient’s vital signs.  The device tracks electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate.  In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) both warned about a “backdoor” in the device, an “easy-to-exploit vulnerability that could allow a bad actor to alter its configuration.”  

CISA’s research team described “anomalous network traffic” and the backdoor “allowing the device to download and execute unverified remote files” to an IP address not associated with a medical device manufacturer or medical facility but a third-party university — “highly unusual characteristics” that go against generally accepted practices, “especially for medical devices.”

“When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device,” CISA wrote.

The warnings says such configuration alteration could lead to, for instance, the monitor saying that a patient’s kidneys are malfunctioning or breathing failing, and that could cause medical staff to administer unneeded remedies that could be harmful. 

The Contec’s vulnerability doesn’t surprise medical and IT experts who have warned for years that medical device security is too lax. 

Hospitals are worried about cyber risks

“This is a huge gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and disruptive technologies, specifically referring to the security gap in many medical devices.

The American Hospital Association, which represents over 5,000 hospitals and clinics in the U.S., agrees. It views the proliferation of Chinese medical devices as a serious threat to the system. 

As for the Contec monitors specifically, the AHA says the problem urgently needs to be addressed. 

“We have to put this at the top of the list for the potential for patient harm; we have to patch before they hack,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.  Riggi also served in FBI counterterrorism roles before joining the AHA. 

CISA reports that no software patch is available to help mitigate this risk, but in its advisory said the government is currently working with Contec. 

Contec, headquartered in Qinhuangdao, China,  did not return a request for comment. 

One of the problems is that it is unknown how many monitors there are in the U.S. 

“We don’t know because of the sheer volume of equipment in hospitals. We speculate there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to the devices can pose strategic, technical, and supply chain risks. 

In the short-term, the FDA advised medical systems and patients to make sure the devices are only running locally or to disable any remote monitoring; or if remote monitoring is the only option, to stop using the device if an alternative is available. The FDA said that to date it is not aware of any cybersecurity incidents, injuries, or deaths related to the vulnerability.

The American Hospital Association has also told its members that until a patch is available, hospitals should make sure the monitor no longer has access to the internet, and is segmented from the rest of the network.

Riggi said the while the Contec monitors are a prime example of what we don’t often consider among health care risk, it extends to a range of medical equipment produced overseas. Cash-strapped U.S. hospitals, he explained, often buy medical devices from China, a country with a history of installing destructive malware inside critical infrastructure in the U.S.  Low-cost equipment buys the Chinese potential access to a trove of American medical information that can be repurposed and aggregated for all sorts of purposes. Riggs says data is often transmitted to China with the stated purpose of monitoring a device’s performance, but little else is known about what happens to the data beyond that. 

Riggi says individuals aren’t at acute medical risk as much as the information being collected and aggregated for repurposing and putting the larger medical system at risk. Still, he points out that, at least theoretically, is can’t be ruled out that prominent Americans with medical devices could be targeted for disruption. 

“When we talk to hospitals,  CEOS are surprised, they had no idea about the dangers of these devices, so we are helping them understand.  The question for government is how to incentivize domestic production, away from overseas,”  Riggi said. 

Chinese data collection on Americans

The Contec warning is similar at a general level to TikTok, DeepSeek, TP-Link routers, and other devices and technology from China that the U.S. government says are collecting data on Americans. “And that is all I need to hear in deciding whether to buy medical devices from China,” Riggi said. 

Aras Nazarovas, an information security researcher at Cybernews, agrees that the CISA threat raises serious issues that need to be addressed. 

“We have a lot to fear,” Nazarovas said. Medical devices, like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life-saving functions.  Nazarovas says that when the devices are poorly defended, they become easy prey for hackers who can manipulate the displayed data, alter vital settings, or disable the device completely.  

“In some cases, these devices are so poorly protected that attackers can gain remote access and change how the device operates without the hospital or patients ever knowing,” Nazarovas said. 

The consequences of the Contec vulnerability and vulnerabilities in an array of Chinese-made medical devices could easily be life-threatening.  

“Imagine a patient monitor that stops alerting doctors to a drop in a patient’s heart rate or sends incorrect readings, leading to a delayed or wrong diagnosis,” Nazarovas said. In the case of the Contec CMS8000, and Epsimed MN-120 (a different brand name for the same tech), warning from the government, these devices were configured to allow remote code execution by the remote server.  

“This functionality can be used as an entry point into the hospital’s network,” Nazarovas said, leading to patient danger.  

More hospitals and clinics are paying attention. Bartlett Regional Hospital in Juneau, Alaska, does not use the Contec monitors but is always looking for risks. “Regular monitoring is critical as the risk of cybersecurity attacks on hospitals continues to increase,” says Erin Hardin, a spokeswoman for Bartlett.  

However, regular monitoring may not be enough as long as devices are made with poor security. 

Potentially making matters worse, Kaufman says, is that the Department of Government Efficiency is hollowing out departments in charge of safeguarding such devices. According to the Associated Press, many of the recent layoffs at the FDA are employees who review the safety of medical devices. 

Kaufman laments the likely lack of government supervision on what is already, he says, a loosely regulated industry. A U.S. Government Accountability Office report as of January 2022, indicated that 53% of connected medical devices and other Internet of Things devices in hospitals had known critical vulnerabilities. He says the problem has only gotten worse since then. “I’m not sure what is going to be left running these agencies,” Kaufman said.

“Medical device issues are widespread and have been known for some time now,” said Silas Cutler, principal security researcher at medical data company Censys. “The reality is that the consequences can be dire – and even deadly. While high-profile individuals are at heightened risk, the most impacted are going to be the hospital systems themselves, with cascading effects on everyday patients.”  

Continue Reading

Technology

Substack boosts video capabilities amid potential TikTok ban

Published

14 hours ago

on

February 23, 2025

By

Substack boosts video capabilities amid potential TikTok ban

Rafael Henrique | SOPA Images | AP

After posting almost 200 videos, amassing hundreds of thousands of followers and racking up millions of views, Carla Lalli Music is quitting YouTube. Substack is her new focus. 

Music is a cookbook author and food content creator, and she is shifting her focus to Substack, a subscription platform that lets creators charge users subscriptions for access to their content. Music told CNBC she came to that decision after earning more in one year of using Substack, nearly $200,000 in revenue, than she did by posting videos on YouTube since 2021. 

Music is the exact kind of content creator that Substack is trying to lure to its platform as TikTok’s future in the U.S. remains in limbo. 

San Francisco-based Substack launched in 2017 as a tool for newsletter writers to charge readers a monthly fee to read their content. The platform allows creators to connect to their followers directly without having to navigate algorithmic models that control when their content is shown, as is the case on TikTok, Google’s YouTube and other social platforms. Substack has raised about $100 million, most recently at a post-money valuation of more than $650 million, the company told CNBC.

This year, Substack has broadened its focus beyond newsletters, and on Thursday, it announced that creators can now post video content directly through the Substack app and monetize these videos.

“There’s going to be a world of people who are much more focused on videos,” Substack Co-founder Hamish McKenzie told CNBC. “That is a huge world that Substack is only starting to penetrate.”

Substack began this push after the social media landscape was thrown into flux as a result of the effective ban of TikTok in January that caused the popular Chinese-owned service to go offline for a few hours. TikTok was also removed from Apple and Google’s app stores for nearly a month. 

The disruption to TikTok in January happened as a result of a law signed by former President Joe Biden to force a sale of the Chinese-owned app or have it effectively banned in the U.S. On his first day in office, President Donald Trump signed an executive order extending TikTok’s ability to operate in the U.S., but that order expires on April 5. 

Days after TikTok went offline, Substack launched a $20 million fund to court creators to its platform.

“If TikTok gets banned for political reasons, there’s nothing to do with the work you’ve done, but it really affects your life,” McKenzie said. “The only and surefire guard against that is if you don’t place your audience in the hands of some other volatile system who doesn’t care about what happens to your livelihood.”

Moving beyond newsletters

McKenzie says that they are going after creators on competing social media platforms to start sharing their video content on Substack.

“Video-first creators, people who are mobile oriented, there’s a whole lot of new possibility waiting to be unlocked once they meet this model in the right place,” McKenzie said. 

Already, Substack has more than 4 million paid subscriptions with over 50,000 creators who make money on the platform, the company said. Substack says that 82% of its top 250 revenue-generating creators have already integrated audio or video into their content, reflecting a growing emphasis on multimedia content.

Prior to the video announcements, Substack allowed creators to post videos on the app to Notes, which is the platform’s front-facing feed format. But the feature did not allow creators to publish video content behind Substack’s paywalls. 

The update enables creators to put video content behind a paywall and it provides data on estimated revenue impact. It also allows them to track viewership and new subscribers.

Carla Lalli Music is a cookbook writer and food creator.

Carla Lalli Music

The push by Substack into video is a welcomed development for creators like Music, who was losing money from making videos for YouTube. 

Music said each video costs her $3,500 to produce despite filming at home. If she published four videos a month on YouTube, she’d earn about $4,000 in revenue. Music was losing about $10,000 a month, she said. 

“It’s really depressing to operate at a loss,” said Music. 

Even with brand deals, which is an agreement where brands pay creators to post content that promotes their products, the earnings were barely enough to recoup the costs of posting on YouTube, Music said. 

More than half of the $290 billion creator economy comes from direct-to-fan value. That includes ticket sales, courses, livestreams and paid memberships, according to a survey conducted by Patreon, a Substack competitor.

With her shift to Substack, Music said she’s now focused on writing another book, posting recipes behind the platform’s paywall and sprinkling in occasional videos.

“I have a lot more to benefit from focused attention on a smaller group of people than I ever did on throwing stuff and seeing what was going to stick with billions of potential audience members,” Music said. “It’s more sustainable.”

WATCH: Our base case for TikTok is that it gets banned in the U.S.: Lead Edge Capital’s Mitchell Green

Our base case for TikTok is that it gets banned in the U.S.: Lead Edge Capital's Mitchell Green

Continue Reading

Technology

Anne Wojcicki has a new offer to take 23andMe private, this time for $74.7 million

Published

2 days ago

on

February 21, 2025

By

Anne Wojcicki has a new offer to take 23andMe private, this time for .7 million

Anne Wojcicki attends the WSJ Magazine Style & Tech Dinner in Atherton, California, on March 15, 2023.

Kelly Sullivan | Getty Images Entertainment | Getty Images

23andMe CEO Anne Wojcicki and New Mountain Capital have submitted a proposal to take the embattled genetic testing company private, according to a Friday filing with the U.S. Securities and Exchange Commission.

Wojcicki and New Mountain have offered to acquire all of 23andMe’s outstanding shares in cash for $2.53 per share, or an equity value of approximately $74.7 million. The company’s stock closed at $2.42 on Friday with a market cap of about $65 million.

The offer comes after a turbulent year for 23andMe, with the stock losing more than 80% of its value in 2024. In January, the company announced plans to explore strategic alternatives, which could include a sale of the company or its assets, a restructuring or a business combination. 

Read more CNBC tech news

23andMe has a special committee of independent directors in place to evaluate potential paths forward. The company appointed three new independent directors to its board in October after all seven of its previous directors abruptly resigned the prior month. The special committee has to approve Wojcicki and New Mountain’s proposal.

“We believe that our Proposal provides compelling value and immediate liquidity to the Company’s public stockholders,” Wojcicki and Matthew Holt, managing director and president of private equity at New Mountain, wrote in a letter to the special committee on Thursday.

Wojcicki previously submitted a proposal to take the company private for 40 cents per share in July, but it was rejected by the special committee, in part because the members said it lacked committed financing and did not provide a premium to the closing price at the time.

Wojcicki and New Mountain are willing to provide secured debt financing to fund 23andMe’s operations through the transaction’s closing, the filing said. New Mountain is based in New York and has $55 billion of assets under management, according to its website.

23andMe declined to comment.

WATCH: The rise and fall of 23andMe

The rise and fall of 23andMe

Continue Reading

Trending