Tesla says they only collect the minimum data needed to run your charger. But the Tesla app demands access to your microphone, camera, contacts, calendar, phone calls, and precise location — none of which are needed to charge a car. The app collects far more than the "minimum" Tesla claims. Tesla tells you the charger connects to Wi-Fi for updates and monitoring. What they don't mention is that it runs a web server on your home network that security researchers exploited to take full control of the device — no password needed. Another team hacked it through the charging cable in 18 minutes. Tesla never warned customers about these attack surfaces.
What they claim: Tesla privacy notice states they collect a minimum amount of personal data necessary for energy products and do not associate vehicle data with identity by default.
What we found: The Tesla companion app requests 40 permissions including ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, CAMERA, RECORD_AUDIO, READ_CONTACTS, READ_CALENDAR, WRITE_CALENDAR, CALL_PHONE, and UWB_RANGING. A wall charger has no functional need for microphone access, calendar read/write, contact list access, phone calling capability, or camera access. These permissions far exceed what is needed to monitor charging status.
What they claim: Tesla states they aim to collect a "minimum amount of personal data necessary" for energy products.
What we found: The Wall Connector transmits charging patterns, session timing, energy consumption, connection status, and firmware version to Tesla cloud endpoints (ownership.tesla.com, telemetry.tesla.com, hermes.tesla.com). Charging session data reveals when you are home, when you leave for work, your daily schedule, and energy consumption patterns. This constitutes detailed behavioral profiling that goes well beyond the "minimum" needed to charge a vehicle.
What they claim: Tesla app requests READ_CONTACTS and CALL_PHONE permissions for a vehicle/charger management app.
What we found: The Tesla app requests READ_CONTACTS (access to full contact list) and CALL_PHONE (ability to initiate phone calls). Tesla's privacy notice mentions sharing data with "business partners" and "subsidiaries" but does not explain why a charger/vehicle app needs access to users' contact lists or the ability to make phone calls. The FTC found Amazon (a comparable tech company) violated COPPA by retaining user data beyond stated purposes — Tesla faces no equivalent regulatory constraint on contact data.
What they claim: The Tesla app is positioned as the control interface for the Wall Connector, providing "charging status, scheduling, and energy usage data."
What we found: The app requests AD_ID (advertising identifier), contains 3 trackers (Google CrashLytics, Google Firebase Analytics, Sentry), and requests WRITE_SETTINGS permission. For a charger control app, advertising tracking and the ability to modify system settings are not functionally necessary. The app also requests HIGH_SAMPLING_RATE_SENSORS which could enable detailed motion/activity profiling of the phone user.
What they claim: Tesla privacy notice does not disclose a specific data retention period for charger or energy product data.
What we found: The Tesla app contains Google Firebase Analytics and Sentry trackers that continuously collect usage analytics. Combined with the 40 permissions including persistent background capabilities (RECEIVE_BOOT_COMPLETED, WAKE_LOCK, REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, FOREGROUND_SERVICE_CONNECTED_DEVICE), the app can maintain continuous data collection. Without a stated retention period, this data could be kept indefinitely.
What they claim: Tesla marketing materials describe the Wall Connector as supporting Wi-Fi for "remote monitoring and automatic firmware updates" with "integrated safety features." No mention of data collection scope or local network exposure.
What we found: Firmware analysis reveals the Wall Connector exposes an HTTP API on TCP ports 80 and 34578 on the local network. CVE-2025-8320 (critical) allows remote code execution via this HTTP service without authentication. The charger can also be firmware-downgraded via the charging cable using an undocumented SWCAN protocol (CVE-2025-8321). Neither the exposed HTTP API nor the SWCAN firmware update channel are mentioned in marketing or user documentation.
What they claim: Tesla privacy notice states data is shared with service providers, affiliates, and law enforcement "if believed in good faith required by law."
What we found: Mozilla Foundation rated Tesla "Privacy Not Included" with a "Very Creepy" user rating. Mozilla found that disabling data collection "risks serious vehicle damage or inoperability." A whistleblower leaked 100+ GB of confidential files including customer data to German media. Tesla refused to answer Mozilla's privacy questionnaire. The vague "good faith" language for law enforcement sharing provides no meaningful limitation on data disclosure.
What they claim: The Wall Connector is sold as a home charging appliance with "integrated safety features."
What we found: CVE-2025-8320 (critical RCE, no auth, network-adjacent) and CVE-2025-8321 (firmware downgrade via physical access) demonstrate the charger is a significant cybersecurity risk. Synacktiv showed a compromised charger enables lateral movement into the home network AND direct vehicle access via CAN bus. The FCC filing (2AEIM-1023049) shows the device has been approved since 2016, but these fundamental security flaws were only discovered and fixed in firmware 24.44.3 — meaning years of devices were vulnerable.
What they claim: Tesla privacy notice states: "To protect your privacy from the moment you take delivery, Tesla does not associate the vehicle data generated by your driving with your identity or account by default."
What we found: Reuters investigation (April 2023) revealed Tesla employees privately shared sensitive customer vehicle camera recordings from 2019-2022. A computer program showed recording locations, potentially revealing where owners lived. The FTC found 30,000+ employees had access to customer data. Tesla's privacy claim that data is not associated with identity is contradicted by employees being able to identify owners from location data. This same infrastructure manages Wall Connector data.
What they claim: The Wall Connector PCB has unpopulated pads for a Qualcomm PLC chipset intended for Vehicle-to-Grid (V2G) communication.
What we found: The unpopulated V2G hardware combined with the app's WRITE_SETTINGS permission and Tesla's ability to remotely update firmware suggests Tesla could enable V2G functionality — allowing the charger to draw power from the vehicle battery and feed it back to the grid — via a future software update without explicit hardware changes. The app already has the permission infrastructure to modify device settings.