Smashing Security podcast #318: Tesla workers spy on drivers, and Operation Fox Hunt scams

If my bare buttocks are protruding high up in the air because I'm up to some shenanigans in the back of a Tesla, I don't want some oily horrible Tesla bloke—

But let's say that image gets uploaded to some kid who's working at Tesla. Imagine—

The trauma it would cause them. I'm worried if I got—

The image of your, you know, moon bouncing up and down the backseat of a Tesla, having no idea it was you.

You'd know it was me. You'd know it was me. Smashing Security, episode 318. Tesla workers spy on drivers and Operation Fox Hunt scams with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 318. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, it's a bit lonely, isn't it, here in the studio today because, well, there's no one else here.

I'm not enough.

Well, just no guests this week. I mean, we did warn people in April we might not have as many guests. You're off on a top secret mission somewhere.

Yes, called R&R. Cannot wait.

Cannot wait. We're recording this episode a little bit earlier than usual, but lots of good stuff to come today.

Yes, as you will see. But before we kick off, let's thank this week's sponsors, Bitwarden, Collide and Drata as their support helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

I'm going on a fox hunt.

And I'm gonna discuss is it okay for employees to share certain types of information. All this and much more coming up on this episode of Smashing Security.

Now chum, fox hunting—have you ever been on a fox hunt?

I live in England, yes. I have actually seen fox hunts on a number of different occasions, not because I have chosen to go and watch these things, but because I have rented a house in the countryside and suddenly all these guys come tripping up on horses with lots of dogs. Exactly, yeah. It's not cool, it's not nice, is it? It's not very cool. I don't think I'd call them that.

Okay, well I would. And they're engaging in an entirely fair fight between on one side 20 hounds and on the other a wild fox scared out of its wits that's going to be ripped to shreds. And yeah, anyway, they're on horses and it's unpleasant.

They often have guns, right? Just in case. Machine guns? What sort of guns do they have?

They don't have guns, do they?

Well, they used to. I don't know if they are allowed anymore, actually.

I wouldn't think that they... Maybe one person has a mallet in case the fox isn't completely killed by the... Anyway. I'm looking it up. They're not supposed to chase foxes anymore. It's supposed to be all done with scents and smells. Yeah, it's illegal to hunt foxes with packs of dogs. At the moment, but who knows when the government might change this because it's the sort of thing that they care a great deal about. Anyway, that's what we picture here in England. But to Chinese people, a fox hunt can mean something quite different.

Okay.

Since 2014, Chinese authorities have been running what they describe as an anti-corruption operation around the world, and they have named it Operation Fox Hunt.

Okay, with billions or millions, they may want to try and get them to face the justice. Yeah, that makes sense to me.

Well, there is a little bit of controversy associated with Operation Fox Hunt.

No.

Yeah. Okay. So a couple of years ago, FBI Director Chris Wray, for instance, he was describing Operation Fox Hunt and he said, it isn't actually about fighting corruption at all. He said instead, what it is, is Beijing targeting Chinese nationals who are viewed as threats. And of course, Chinese nationals who live outside China. So it's political rivals, dissidents, critics of China's human rights record are being targeted, according to Wray. And they're trying to force those people under the pretext of they've committed some kind of financial crime to come back to China and who knows what might happen to them.

I just would assume that if you say there was someone who lived in Canada, that the Chinese government was saying, hey, they've done all this awful stuff, the Canadian government go prove it, show us, you know, and discuss extradition based on what is shared. Not so much, you know, I don't know, if they have no information, just say, give us this guy. I don't know why anyone would play.

Well, often this is occurring with the help of foreign governments and international law enforcement like Interpol, where the Chinese will come to them and say, look, we need this person. They've committed this crime. We need you to issue an arrest warrant and bring them back. That's one way in which it can occur. But of course, is that information delivered by the Chinese authorities? Is that legitimate or not is one of the questions? Or is it being made up in order to bring people of interest back to Chinese soil. According to FBI Director Wray, when the Chinese aren't able to locate some individuals, they can actually go round to their family's homes in the United States and give them a message to pass on. So this is one of the messages which Chris Wray said the Chinese were passing on, which is that, oh, your dad, yeah, your dad, he's got two options. He can either return to China right now or he can commit suicide.

What?

Yeah. So they're able to, like this is a face-to-face interaction.

Yeah. Face-to-face. They show up on your door or on your family's door and begin to threaten you, surveil you, stalk you. And people are saying that they've been coerced into leaving the United States and other countries around the world and go back to China, and there's a great deal of pressure being put on people to do this. I'm trying to come up with something funny to say here.

Yeah, it's pretty serious. So it sounds a bit like a visit from the heavies or the mob or some sort of organised crime syndicate, doesn't it, rather than the police?

And also that your loved ones are being threatened, victimised, incarcerated. Hundreds, if not thousands of people are said to have been repatriated back to China as part of Operation Foxhunt. Like I said, often with the help of foreign governments. Now, what's happened now is the FBI has issued a warning. So this has been known about for some years, and people like Obama and others have said this is outrageous what's going on. You know, there are some people maybe are being brought back legitimately who may have committed some sort of corruption, but maybe there's not sufficient evidence or maybe they're sort of stretching things too far. Holy shit, right? The risk is that you have to go back or they tell the Chinese authorities where you are and what you're doing.

Maybe they could do that, but maybe you're not on the list anyway of people who are actually of interest.

So they're just targeting anybody who is US-based Chinese community.

They certainly could, couldn't they? Because people might think, well, I haven't done anything wrong, but they read so many stories about others. These criminals who are posing as members of the Chinese authorities are often phoning up their victims using spoofed numbers to appear as though they come from the Chinese ministry or a US-based Chinese consulate as well. They're showing their victims fraudulent documents as proof of the accusations. Thanks, ChatGPT. Realistic-looking arrest warrants. Thank you very much Photoshop and intricate details about the legal schemes and of course they will show basic knowledge of their victims to appear more legitimate. Oh yeah, say oh yeah we know about uncle Frank, whatever they've managed to pick up from social media as well. Oh my God, so people are obviously petrified right? Yeah because whoa, if I resist what's going to happen to me. I don't want to go back to China because it's a fairly serious charge.

This is a little different from being on the Ashley Madison leak list.

Right. So one of the thoughts I actually had is who are the people who are actually committing this crime? Who are the people who are going around contacting a member of the Chinese community, pretending to be investigators for China, rounding up criminals? And I thought, well, surely one group of people who have to be considered as possible suspects could be the actual Chinese agents. Because the actual Chinese agents would have a list of these are the people we want to bring back to China. They could show up on the door because they presumably have got the means to find out where these people live in some cases and say to them, well, look, pay up. Otherwise, we really will be taking you back to Beijing.

So they're just making a little extra. They're just padding their... Well, maybe. Pretty risky, considering the Chinese government may not look very kindly on that should they get caught out.

Well, exactly, because you are actually defrauding then Beijing, aren't you? Because you're getting paid to bring people in and then you're trying to skim the money. It's a dangerous game to play.

You're skimming the money and not dobbing them in, right? Right. Presumably because you'd want to hit them up again saying this is an annual donation you're making.

Right. Yeah, this is your protection. It's a little bit like being a crooked cop who might know who the local drug dealers are and saying, "Well, you know, I'm not going to bring you down to the station, but can you give me some of your proceeds?" This is so outrageous. Pretty terrifying stuff. So the FBI has some advice. You'll be pleased to hear. So if you believe that you've been contacted by individuals claiming to be a Chinese authority, they say contact your local FBI field office instead. Don't just trust them, obviously. Whether they're a criminal or whether they are legitimate Chinese investigators, speak to the FBI because foreign government officials who are conducting legitimate investigations in the United States have to act in coordination with the US federal authorities. So call the FBI. What I'd suggest you don't do is don't call your local Chinese consulate, because just in case you are in the list, and they say, "Oh, thank you for this report. Where exactly are you calling from today?" Because you might find yourself on the next slow boat to China.

Yeah, I think that advice is great if you're legal, right? And if everything's tickety-boo with your residency in country of choice. Yeah, this is a real pickle, man.

Now, Carole, you are originally a Canadian. Still am, through and through. And now you're a British citizen as well, aren't you? You went through the whole process. Do you ever worry that a member of the mounted police force may show up on his moose? One can only hope.

I did meet a mounted police once. I think you were there and I swooned. I just, yeah, it was ridiculous.

Carole, what have you got for us this week?

Well, we are talking Tesla. On April 6th, Reuters issued a special report about Tesla, right? This is the company famously co-founded by that idiot savant, Elon Musk. And the story, thankfully, does not revolve around Elon, but more about his staff, who, according to plaintiffs, severely jeopardized the privacy of their customers, Tesla car owners. And this has all to do with Tesla cars and their cameras. So I first decided to go check out, I don't own a Tesla, right? So I went to the Tesla website to just see how many cameras there are on the car. And there's quite a few.

Hang on, these are cameras on the inside of the car, are they? And on the outside. Yeah. Okay. So you've got cameras on the outside of the car. There's one mounted above the rear license plate. There's a camera mounted in each door pillar. And there's a camera mounted on each front fender. Lot of cameras on the outside of the car. And there's three cameras mounted on the windshield above the rear view mirror. Because Teslas, I mean the eventual aim and maybe some Teslas already do this, they drive themselves or that's what they're working on. So I suppose there's something to say, you know, occasionally maybe pay some attention to what's going on, stop reading a book, stop playing Scrabble.

Right, and I mean the whole point is to grab the images around that perhaps maybe it can't understand, right? So maybe the car has no idea what that is in front of it and so it sends it back to base to get some information, right?

Yeah, yeah, yeah, makes sense. You know, it's a learning model.

So here's a statement I've just put in the show notes. Maybe you can read it for us? This is a statement from Tesla explaining how these images and videos that they collect work.

Okay, so it says, "By default, images and video from the camera do not leave the vehicle itself and are not transmitted to anyone, including Tesla, unless you enable data sharing. If you enable data sharing and a safety critical event occurs, such as a collision." I love that, "safety critical event." Crash, bang, boom. "The Model 3 shares short cabin camera video clips with Tesla to help us develop future safety enhancements and continuously improve the intelligence of features that rely on the cabin camera." Sounds pretty legit, right? So these cameras are there for our protection, if we're a Tesla driver, to improve services, diagnostics, right? And I checked out its privacy notice and it opens its privacy notice with "Your privacy is and will always be enormously important to us."

Okay. So we got a lot of, you know, "Privacy is really important to you and us" messaging here, you know, to assuage people's fears that they might be being watched.

Yeah. And you have to enable data sharing. So you have to opt into this from the sound of things.

Yes. But I think in this situation, I would be more compelled to opt into this kind of data sharing because it's a freaking car and I could die if it didn't understand something. So, you know, and we all know it's crowdsourced in that way. So I don't know. So, and yet, Graham, and yet, and yet, and yet. Between 2019 and 2022, according to interviews by Reuters with nine former employees, groups of Tesla employees used internal messaging systems to share videos and images recorded by customer car cameras.

This is the Roomba thing all over again. Do you remember when the vacuum cleaners?

Maybe that's what set it off. Maybe Tesla were like, oh, we could do that too.

They took videos of people on the loo and stuff like that. And there were Roomba employees who were having a good old laugh about them. So Tesla workers are doing this as well. Great. Well, not all Tesla workers, right? And presumably they're not sitting on the loo inside the Tesla either. I mean, God, I hope not. That would cause an accident. Two former employees said that in their normal work duties, they were sometimes asked to view images of customers in and around their homes, including inside their garages. So, hang on. It sounds like they are collecting video footage and pictures even when the vehicle isn't moving. So if it's in a, for instance, in a garage, it's not moving. If I were in a lay-by with my partner, and, you know, I mean, this wouldn't happen to me, obviously, because I'm of a certain age. But if I were a young man and I thought, oh, maybe we could just have a little chat, a little fumble around on the back seat, could that potentially be uploaded?

Oh, no. Especially if your car is plugged in, right? And getting battery charging, like as you get your batteries recharged in the backseat.

I'd be lucky to be plugged in.

With the less sensationalist stuff, some of these employees at Tesla would create memes and post them to the internal messaging system in order to get kudos from other employees. Some said basically those that were considered funny and, you know, getting high fives around the coffee machine afterwards saying, oh, that was a really funny one, tended to get promoted. Because they got popular. They were funny. They, you know, they were liked. You know, they're a bunch of 20 and 30 year olds, right? A lot of them have to basically look at images all day and explain in a database this is what it is to teach the algorithm. You know, there's still some manual processes through that. So I can imagine it could be a mundane task. And we do

know that the boss of Tesla, Elon Musk, he loves a meme, doesn't he? He loves posting up juvenile.

I'm not convinced that he wouldn't have a chuckle at these things. Right. Of course. But then there was one clip of someone being dragged into a car seemingly against their will. An ex-employee told Reuters. One ex-employee described a video of a man approaching the vehicle completely in the nude. And there's crash and road rage incidents. So one crash video in 2021 showed a Tesla driving at high speed in a residential area, hitting a child riding a bike, according to an employee. The child flew in one direction, the bike in the other. The video spread around the Tesla office in San Mateo, California via private one-to-one chats. Like wildfire, the employee told Reuters.

It sounds like sharing a snuff movie or something like that. How unpleasant. Who'd want to see a

crash? Yeah, no, no, it's crazy stuff. And about three years ago, some employees stumbled upon and shared a video of a unique submersible vehicle parked inside a garage. And this is according to two ex-employees who viewed it. Nicknamed Wet Nelly, the White Lotus Esprit sub had been featured in the 1977 James Bond film, The Spy Who Loved Me.

Who owned this car? I'm going to think it would have to be someone with a lot of disposable income. About $968,000. Who also owns a Tesla. I wonder who would be very rich to buy such a piece of movie memorabilia. Who could that be?

Tesla chief executive Elon Musk bought it at auction in 2013. It's not clear that Musk was aware of the video that had been shared. So maybe even he is not safe from his employees. So, okay, so how do you feel about this? I know there's something distasteful here, right? But I'm going to argue for the other side for our listeners' interest's sake, right? These are employees who work at hip and cool Tesla office where memes are cool. Most of them are 20 to 30 years old doing mundane work like labeling images to improve the car's understanding of what is around them. And you land upon something unusual, like maybe it's scary, hilarious, salacious, and you share it, you kind of nudge your employee next to you, hey, check this out, check this out. It's not like the information went outside the company, right?

If my bare buttocks are protruding high up in the air because I'm up to some shenanigans in the back of a Tesla, I don't want some oily, horrible Tesla bloke.

Sure, I completely understand that. But let's say because you had the data sharing that you did or there was a fault or whatever, that image gets uploaded to some kid who's working a Tesla.

Imagine the trauma it would cause them. I'm worried about them, not me.

If I got the image of your, you know, moon bouncing up and down the backseat of a Tesla, okay, having no idea it was you.

You'd know it was me. You'd know it was me.

Would I nudge someone next door and go check this out? I probably would. And that's what these guys have done. And it's seriously bad. So it's very good that I don't work in a very serious job like this, right?

Very, very good. You'd be an awful

Employee. Well, yes. And also Tesla is now facing a lawsuit because of this. Of course. Of course it is. So last week, plaintiff Henry Yeh, a California resident who owns a Model Y, sued Tesla on behalf of himself and all the other people in the U.S. who owned and leased a Tesla any time in the past four years. He says, quote, "Tesla captures recordings of people vulnerable on their own property, in their own garages and even in their own homes, including at least one instance where Tesla cameras were captured of a video of a man naked in his home. Tesla has also captures and disseminated videos and images of customers' pets and even their children, a group that society has long recognised as vulnerable to exploitation and manipulation. Parents' interest in their child's privacy is one of the most fundamental liberty interests society recognises."

There's a bit of me which thinks bloody Americans suing everyone left, right and centre and trying to make a million bucks out of this company's stupidity. But then I think, well, no, why shouldn't he? Because what the bloody hell are Tesla doing, allowing their employees to do this and act in this inappropriate way?

But to your point earlier, if you spent gazillions on one of these new flashy flash flash cars and all over their website is privacy is important. Privacy number one is privacy privacy. And then you hear about this. Yeah. You'd be pissed. I'd want my money back. So I understand.

Yeah. Yeah. I wonder if Elon wants his money back from buying that James Bond submarine car.

He might want to sell it just to help prop Titter Up. Titter Up. Titter

Up? It's not that kind of show. No, definitely not. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks including SOC2, GDPR, HIPAA and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way. With over 365-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner. So, listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com slash drata. That's smashingsecurity.com slash D-R-A-T-A. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With login for device, it can be initiated on the web vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden keeping your password secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com slash smashing. That's bitwarden.com slash smashing. And welcome back. Can you join us our favorite part of the show, the part of the show that we like to call pick of the week. Pick of the Week, Pick of the Week, Pick of the Week is the part of the show where everyone chooses to say it could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. It is musical. Musical? It's musical and videographer. It's visual as well. So that's the word I'm looking for. It's both musical and visual. It comes to you in the form of a YouTube channel. And this YouTube channel is called The Device Orchestra. Have you heard of Device Orchestra? There is a guy out there who plays music covers, but not using musical instruments. He uses electric toothbrushes, credit card machines, typewriters, all kinds of gizmos which go... He's given them googly eyes. Some have got wigs and pipe cleaner arms. I was just listening to Wannabe. Some of them are pretty good. So maybe we can check out a little bit. Here's that Deep Purple song, Smoke on the Water, as played on two electric toothbrushes and a steam iron. Oh, my God. It's so beautiful. It is beautiful. The creations remind me a little bit of some of your cartoons, actually, Carole. Oh, look at the iron. Yes.

Yes. I might have to leave my husband. Is this a man? Is he available? I don't even mind. I'm into women too.

Anyway, so there are scores of these videos covering different songs. Thom Langford, I hope you're listening. Check it out. This is right up his alley. There's lots of songs. Eye of the Tiger.

Total Eclipse of the Heart. Hello from Lionel Richie. Oh, now you're pulling out the big guns. I just want to pat you on the back for that one. That's an excellent one.

Are you saying that because you want me to be appreciative of whatever your pick of the week is? No, I don't need you at all for mine. No? So did you say brewery? I wasn't quite sure. How do you say, how do you say brew...

That would be... And I watched the first episode and I was, okay, I got it, right? Yeah, yeah, yeah. Cute, cute, me cute. But then there's extra reveals in store, right? The characters get complex and a little, not perfectly, you know what I mean? They're not cookie cutouts. They've got some dark patches as well, right? There is one character that has a big poo at the other's house when they're out, only to discover that the water has been turned off.

We've all been there. What do you do now?

Right. I'm actually going to use that. I'm going to use that my next sticky pickle, I think, literally. Now, Colin the Accountant has a similar flair to When Harry Met Sally, Catastrophe, right? Smart, smart comedic meet cute, right? And it's will they, won't they, a pull between the characters. I think you'd love it Graham, and I think it's...

It is on my radar because I have already seen the trailer and I read, I think it's on The Guardian website, they did a little review of it and they raved about it and said how wonderful it was. You read that as well, did you?

I saw it today because I was just checking to see, to make sure that I wasn't alone. Yeah, because I'm happy to be alone. I'm happy to present that and say everyone bitched about it, I loved it. Happy to do that. But I just wanted to know. But it seems as though it's a crowd pleaser.

It does, it does. So I definitely do want to check it out sometime. And it sounded quite amusing how the show starts.

Yeah, because I'd had a guest in the house for the last week. And last night was the first night where me and the hubs were on our own. And he'd sourced this show. And it was very cute to have a little kind of R&R time.

Oh, I thought you were going to say you got in the back of a Tesla.

We didn't exactly Netflix and chill, but, you know, put a smile on our face, the show.

Is that because it's on Amazon Prime rather than Netflix? There are no real accountants, okay? But I'll just say that the actor who plays Colin the accountant works like a dog to deliver a paw-fect performance. Quote The Guardian. Well, that sounds quite fun. Thank you for the recommendation, Carole. You're very welcome. And that just about wraps up the show for this week. You can follow us on Twitter at Smashing Security. No G, Twitter at last have a G. We also have an account on Mastodon. Look for Smashing Security up there. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts and Spotify.

And massive shout out to this episode's sponsors, Bitwarden, Collide and Drata and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 317 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye bye bye.

I'll see you on the other side of a holiday.

Yeah, have fun.

Bloody hope so. It's gonna be hot. It's gonna be hot. I gotta get my family summer clothing. Jesus. Gotta go, bye.