Connect with us

Published

2 years ago

on

The Tesla Motors Inc. Model X sport utility vehicle (SUV).

David Paul Morris | Bloomberg | Getty Images

A Tesla Model X totaled in the U.S. late last year suddenly came back online and started sending notifications to the phone of its former owner, CNBC executive editor Jay Yarow, months later.

The car or its computer was suddenly online in a Southern region of war-torn Ukraine, he found by opening up his Tesla app and using a geolocation feature. The new owners in Ukraine were tapping into his still-connected Spotify app to listen to Drake radio playlists, he also discovered.

When Yarow posted about this to the social network X, formerly known as Twitter, his post went viral, and followers wanted to know why this this happening and whether it was a security risk.

According to the CTO of automotive security firm Canis Labs, Ken Tindell, there can indeed be a security risk with totaled cars that are restored.

He explained in an e-mail to CNBC, “The credentials to internet services are clearly left in the vehicle electronics and then can be used by whoever gets hold of the electronics.” He added, “In general it’s possible to get data out of working electronics — it’s merely a question of how much effort that takes.” 

This is far from a Tesla-specific issue, he said. Cars, like laptops, smartphones, and even refrigerators and TVs, are now internet-connected devices that can store personal data.

“I think it needs to be more widely understood by dealers and owners that there is this issue of private data within the vehicle,” Tindell said.

Overseas demand for totaled Teslas

How did the vehicle end up in Ukraine?

CNBC found that after the car was totaled, online auction site Copart listed it for sale, according to website listings. The company, which currently has more than 1,600 Tesla vehicles listed for sale, is connected to salvage yards across the U.S., including one in New Jersey where the car ended up.

Copart specializes in damaged or totaled vehicles that have what’s called a “salvage title,” issued when an insurance company declares it a total loss, warning future buyers that there was a significant problem. Copart sells more than 2 million vehicles a year, with operations in 11 countries, according to the company’s website.

Such vehicles cannot legally drive on U.S. roadways, but some countries aren’t as stringent.

“Cars go to the repair shop or junk yard then find their way to a second market and then are suddenly being shipped overseas,” said Mike Dunne, a former General Motors international executive who now serves as CEO of auto consulting firm ZoZoGo.

The practice has been going on for decades and accelerated with the rise of digital auctions, according to Steven Lang, an auctioneer and founder of used car marketplace 48 Hours And A Used Car.

“Starting in the Y2K era, the digital auction site took over. So now you can have someone in Ukraine bidding on it. And then someone else from Norway bidding on it … and you haven’t even touched an American border or an American bidder,” said Lang, who has been in the vehicle auction business for more than 24 years.

“Virtually all of the vehicles that are totaled will end up at a salvage auction,” he said.

One online auction website that specializes in such sales estimated the winning bid for the vehicle would be between $27,400 and $29,400. A final sale price was not immediately known. Neither the salvage yard nor Copart immediately responded for comment about the vehicle and who bought it.

What owners can do after the fact

Tesla support staff told Yarow he should disconnect his car from his account, offering the following instructions via email:

1. Open the Tesla app Tap profile icon in top-right corner

2. Tap ‘Add/Remove Products’ > ‘Remove’ > ‘Vehicle’

3. Select the VIN, then tap ‘Get Started’

4. Enter the vehicle and sale details, then tap ‘Next’

5. Enter the new owner information, then tap ‘Next’

6. Enter security code from e-mail, then tap ‘Confirm’

7.Submit the request by clicking on ‘Remove Vehicle’

Reminder: If it asks if you sold the vehicle say yes.”

Tesla didn’t tell him how he was supposed to obtain the new owner information as he hadn’t sold the car.

According to Canis Labs CTO Ken Tindell, disconnecting one’s account from a totaled vehicle can help stop others from using apps that had been connected, such as Spotify in Yarow’s case. However, data could still be extracted from the totaled vehicle’s electronics.

“What would the trip history and phone book of a celebrity be worth to a blackmailer or a kidnapper?” Tintell asked.

He and other security experts compared the situation having an Apple laptop stolen. In some cases, Apple can wipe the laptop or device clean remotely when it comes online. But “a malign repair shop can take out the hard drive and copy all the data off it before scrapping a broken laptop.”

This is why Apple routinely encrypts its hard drives, the CTO noted. “It’s the only way to prevent the data being stolen by someone with physical access to an offline device.”

An automotive cybersecurity veteran and the founder of RightHook, Warren Ahner, said that ideally a company like Tesla would “Have a portal where a user can sign in with online credentials and say ‘remove all my info, then disconnect my vehicle from the account,’ and would be able issue a remote-wipe command to the car when it comes online, deleting it all including GPS, saved locations and the rest.”

However, he said, owners can be their own “personal risk police,” and avoid giving their vehicles or rental cars that they use lots of personal info.

“Always purge your data after you are done with the vehicle and try not to share more info with the car than you absolutely need to share,” Ahner recommended. “If I pair my phone with the car I’m renting or owning I don’t allow it to synch location and contacts. I only give it Bluetooth access to talk over the top of my music and so I can us whatever music streaming app I like.”

An automotive white hat hacker who uses the handle Green the Only has been sounding the alarm about data on cars for years. “All the phone directory and calendar stuff might be valuable,” he said.

Once a car or car computer has changed possession is back online, he says that the previous owners “can’t do much.” One problem is that an old owner can “accrue charges for Supercharging,” and other items Tesla — or other vehicle makers — may sell on a subscription or pay-per-charge basis. They can always submit a request to Tesla to remove the car from their account, but that’s it.

Green the Only agreed with Tindell and Ahner — Tesla “probably can add a ‘remote wipe and then remove from my account’ in addition to the ‘remove from my account’ option they have now. They probably should have added that long ago.”

Related Topics:
Continue Reading

Technology

French fintech Pennylane doubles valuation to $2.2 billion as Alphabet’s venture capital arm takes stake

Published

5 hours ago

on

April 6, 2025

By

French fintech Pennylane doubles valuation to .2 billion as Alphabet's venture capital arm takes stake

Seksan Mongkhonkhamsao | Moment | Getty Images

French accounting software firm Pennylane has doubled its valuation to 2 billion euros ($2.16 billion) in a new 75 million euro funding round.

Pennylane told CNBC that it raised the fresh funds from a host of venture funds, with Sequoia Capital leading the round and Alphabet’s CapitalG, Meritech and DST Global also participating.

Founded in 2020, Pennylane sells what it calls an “all-in-one” accounting platform that’s used by accountants and other financial professionals.

The platform is primarily targeted toward small to medium-sized firms, offering tools for functions spanning expensing, invoicing, cash flow management and financial forecasting.

“We came in tailoring a product that looks a bit like [Intuit’s] QuickBooks or Xero but adapting it to the needs of continental accountants, starting with France,” Pennylane’s CEO and co-founder Arthur Waller told CNBC.

Pennylane currently serves around 4,500 accounting firms and more than 350,000 small and medium-sized enterprises. The startup was previously valued at 1 billion euros in a 2024 investment round.

European expansion

For now, Pennylane only operates in France. However, after the new fundraise, the startup now plans to expand its services across Europe — starting with Germany in the summer.

“It’s going to be a lot of work. It took us approximately five years to have a product mature in France,” Waller said, adding that he hopes to reach product maturity in Germany in a shorter time period of two years.

Pennylane plans to end the year on about 100 million euros of annual recurring revenue — a measure of annual revenue generated from subscriptions that renew each year.

Watch CNBC's full interview with Plaid CEO Zach Perret

“We are going to get breakeven by end of the year,” Waller said, adding that Pennylane runs on lower customer acquisition costs than other fintechs. “75% of our costs are R&D [research and development],” he added.

Pennylane also plans to boost hiring after the new funding round. It is looking to grow to 800 employees by the end of 2025, up from 550 currently.

‘Co-pilot’ for accountants

Like many other fintechs, Pennylane is embracing artificial intelligence. Waller said the startup is using the technology to help clients automate bookkeeping and free up time for other things like advisory services.

“Because we have a modern tech stack, we’re able to embed all kinds of AI, but also GenAI, into the product,” Waller told CNBC. “We’re really trying to build a ‘co-pilot’ for the accountant.”

We are seeing a rebound in fintech valuations, says N26 CEO

He added that new electronic invoicing regulations coming into force across Europe are pushing more and more firms to consider new digital products to serve their accounting needs.

“Every business in France within a year from now will have to chose a product operator to issue and receive invoices,” Waller said, calling e-invoicing a “huge market.”

Luciana Lixandru, a partner at Sequoia who sits on the board of Pennylane, said the reforms represent a “massive market opportunity” as the accounting industry is still catching up in terms of digitization.

“The reality is the market is very fragmented,” Lixandru told CNBC via email. “In each country there are one or two decades-old incumbents, and few options that serve both SMBs and their accountants.”

Continue Reading

Technology

TikTok reportedly stays on App Store after assurance from Attorney General Pam Bondi

Published

7 hours ago

on

April 6, 2025

By

TikTok reportedly stays on App Store after assurance from Attorney General Pam Bondi

In this photo illustration, the logo of TikTok is displayed on a smartphone screen on April 5, 2025 in Shanghai, China. 

Vcg | Visual China Group | Getty Images

Apple will keep ByteDance-owned TikTok on its App Store for at least 75 more days after receiving assurances from Attorney General Pam Bondi, according to a report from Bloomberg News.

This comes after President Donald Trump signed an executive order Friday to extend the TikTok ban deadline for the second time. TikTok will be banned in the U.S. unless China’s ByteDance sells its U.S. operations under a national security law signed by former President Joe Biden in April 2024.

AG Bondi wrote in a letter to Apple that the company should act in accordance with Trump’s deadline extension and that it would not be penalized for hosting the platform, according to unnamed sources cited in the report.

Apple did not respond to a request for comment.

After TikTok went briefly offline for U.S. users in January following the initial ban deadline, it remained unavailable for download in the App Store until Feb. 13. Apple had reinstated TikTok to its app store after receiving a similar letter of assurance from Bondi.

The extension comes days after Trump announced cumulative tariffs of 54% on China. Prior to the additional tariff rollout on April 2, the president said he could reduce duties on the country to help facilitate a deal for ByteDance to sell its U.S. operations of TikTok.

“Maybe I’ll give them a little reduction in tariffs or something to get it done,” Trump said during a press conference in March. “TikTok is big, but every point in tariffs is worth more than TikTok.”

WATCH: TikTok deal reportedly halted after China said it would reject it due to tariffs

TikTok deal reportedly halted after China said it would reject it due to tariffs

Continue Reading

Technology

For bitcoin bulls who self-custody crypto, the global risks are growing

Published

13 hours ago

on

April 6, 2025

By

For bitcoin bulls who self-custody crypto, the global risks are growing

Whether to buy cryptocurrency as a long-term holding may be the biggest decision an investor interested in digital assets has to make, but where to store crypto like bitcoin can become the most consequential.

Following the wildfires earlier this year in California, social media posts began to appear with claims of bitcoin losses, with some users showing metal plates intended to protect seed phrases burnt up and illegible or describing the complexity of recovering crypto keys stored in a safety deposit box in a bank impacted by the fires. While impossible to verify individual claims about fires consuming hard drives, laptops and other storage devices containing so-called hard and cold storage crypto wallets and seed phrases, what is certain is that bitcoin self-custody presents a unique set of security issues. And those risks are growing.

Holders of crypto typically use some form of what can be called a “wallet,” and there are a few main features – whether that wallet is connected to the internet, and how much control is directly embedded in the wallet for trades and transfers. There is also the underlying issue of whether a crypto investor uses a third party for custody at all, or maintains total custody and trading control over their holdings.

The standard third-party platform “hot wallet” – think of an offering from a Coinbase or Blockchain.com – is constantly connected to the internet. Cold storage and “cold wallets,” on the other hand, include hardware devices (like a USB stick) that holds private keys offline, or even just a seed phrase (a master recovery code, a collection of 12 to 24 words used to recover access to a crypto wallet) on paper/metal. Hardware wallets or offline backups of seed phrases can be used to access crypto when connected to the internet through another device.

With third-party custodial options, there are steps to help owners remain vigilant against the threat posed by cybercriminals who can gain access to an internet-connected platform, including the use of two-factor authentication, and strong passwords. The U.S. Marshals Service within the Department of Justice, which is responsible for asset forfeiture from U.S. law enforcement, uses Coinbase Prime to provide custody for its seized digital assets.

Many crypto bulls prefer to self-custody digital assets like bitcoin for some of the same reasons they are interested in cryptocurrencies to begin with: lack of faith in some forms of institutional control. Custodial wallets from crypto brokers trade convenience for the risk of exchange hacks, shutdowns, or fraud, as in the case of the high-profile implosion of FTX. And the wildfires are just one example in a recent string of global events that raise more questions about shifts in the crypto custody debate. There is the ongoing conflict in the Middle East and Russia-Ukraine war, which has led crypto bulls from overseas to re-think their approach to self-custody.

Nick Neuman, co-founder and CEO of self-custody company Casa, said physical risks in the world like a natural disaster are an opportunity to revisit how bitcoin security works, and the common security lapses folded into most peoples’ practices. “Most people secure their bitcoin with one private key. If that key is on a single device or written down on paper as a seed phrase, it’s a single point of failure. If you lose that key, your bitcoin is gone,” he said.

It should be obvious that keeping seed phrases on paper offers the lowest level of protection against fire, yet it is common practice, Neuman said. Slipping these pieces of paper into fireproof bags or safes offer some protection, but not much, and even going the extra steps to have the seed phrases on “indestructible” metal storage plates presents a few failure points. For one, they might prove to be not so indestructible, and second, they may be impossible to locate amid the rubble. 

“Logically, given the location of the fires in California and the stories being shared on X, it’s highly likely bitcoin was lost,” said Neuman. “Some of them are pretty convincing,” he said.

Casa performs annual stress tests on seed phrase backups.

Some self-custody services, like Casa, offer multi-signature setups that reduce the risks of single-point failure. A multi-key crypto “vault” can include mobile phone keys, multiple hardware keys, and a recovery key that a company likes Casa holds on an owner’s behalf.

The multi-sig custody approach allows an owner to hold a majority of keys while a trusted partner holds a minority of keys. John Haar, managing director at Swan Bitcoin, says that in such a setup, the owner would need to lose all the physical devices and all copies of the seed phrases at the same time. As long as the owner can access at least one device or one seed phrase, they would be able to recover their bitcoin. This approach should significantly limit the potential for all of the devices to be lost in an event like a natural disaster, Haar said.

“You can spread these keys across multiple regions or even countries, and you need any three of the five keys to approve a bitcoin transaction,” Neuman said of Casa’s five-key approach.

Jordan Baltazor, chief administrative officer at Fortress Trust, a regulated crypto custodian, says best practices that we use in other areas of personal life should apply to cryptocurrency. For one, diversification of storage approach and weighing of risks. Digital assets are no different, he says, when it comes to backing up personal and sensitive data on the cloud to ensure data against loss or corruption.

Companies including Coinbase and Jack Dorsey’s Block offer products that try to merge some of these ideas, creating a more secure version of a crypto wallet that remains convenient to use. There is Coinbase Vault, which includes enhanced security steps before a user can access crypto holdings for trading. And there is Coinbase Wallet and Block’s Bitkey, which have mobile apps that work like a traditional wallet making moving bitcoin around easy, but with the ability to pair with hardware wallets and added security more commonly associated with cold storage.

Bitkey hardware requires multiple authorizations for transactions for added security, similar to “multi-sig wallets.” Bitkey also offers recovery tools so one of the biggest risks of self-custody — losing codes or phrases needed to recover a cold wallet — is less of an issue.

Solutions like Dorsey’s may help to solve the tension between convenience and security; at minimum, they underline that this tension exists and will likely be something of a roadblock to more widespread crypto adoption. Beyond the risks out there in the form of wildfires, all kinds of natural disasters, and wars, bitcoin self-custody can be vulnerable to the biggest personal risk of all: unexpected death of the bitcoin owner. There is arguably nothing more complicated than inheritance when it comes to unlocking the crypto chain of custody.

Coinbase requires probate court documents and specific will designations before releasing funds from custody, while physical wallets offer little to no support, potentially leaving all that digital value stuck on a private key. Bitkey rolled out its inheritance solution in February for what a Bitkey executive called, “kind of a multibillion-dollar problem waiting to happen.”

“People who have a material investment in bitcoin absolutely need to be thinking differently about how to protect it,” Neuman said. He says that after disasters like the California wildfires, or when exchanges go bust like FTX, the industry does see more crypto holders taking action to move to more secure storage setups. “I suppose it’s human nature to wait until ‘bad things happen’ to spur action to improve your own personal situation,” he said. “But I think people would be better off if they were more proactive. Otherwise, they risk having that ‘bad thing’ happen to them, and then it’s too late,” he said.

Continue Reading

Trending