A $30 BYD From a Polish Junkyard Still Had Every GPS Location It Ever Visited — Unencrypted
A security researcher bought a wrecked car’s brain from a Polish salvage yard. It told him everywhere the car had ever been — from the factory in China to the crash in the UK. None of it was locked.
4 out of 5 used cars still contain the previous owner’s personal data. Factory resets don’t fully wipe it. And the root password was stored as a basic hash anyone could crack.
Romain Marchand at Quarkslab (a Paris-based security firm) bought a telematic control unit — basically the car’s internet-connected brain — from a BYD Seal that got wrecked. He pulled the chip out, read the filesystem, and found… everything. GPS logs. System configs. Guest passwords. The root password sitting there as a SHA-256 hash. Zero encryption on any of it.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| TCU (Telematic Control Unit) | The little computer inside your car that handles GPS, internet connection, and phone calls. Think of it as your car’s phone. |
| NAND storage | A type of memory chip that keeps data even when power is off — same stuff in your phone and USB drives. |
| GNSS logs | Fancy name for GPS location records. Every place your car has been, saved to a file. |
| SHA-256 hash | A way to scramble a password so it doesn’t sit there in plain English. Problem: if the password is weak, it takes seconds to un-scramble. |
| Factory reset | That thing you do before selling your phone. Except on cars, it doesn’t actually delete everything. |
| Filesystem | The organized folder structure on any computer or device where all files live. |
🔍 What He Actually Found Inside the Chip
Honestly, the scariest part isn’t that data existed — it’s HOW MUCH data existed.
- Full GPS trail: Every location the car visited from the BYD factory in Shenzhen, China → operational life in the United Kingdom → final crash in Poland
- Root password: Stored as a SHA-256 hash — anyone with Hashcat and a decent GPU could crack a weak one in minutes
- Guest credentials: Just sitting there in config files. In plaintext.
- Event logs: Every “significant vehicle incident” recorded and timestamped
- System configs: Detailed settings revealing the car’s entire software stack
Marchand even matched a cluster of GPS coordinates to a Facebook post showing the exact car flipped on its roof. The car’s data told the story of its own death.
📊 The Receipts
| Stat | Number |
|---|---|
| Used cars still holding previous owner’s data | 80% (4 out of 5) |
| Factory resets needed to mostly wipe personal data | At least 2 |
| Data fully erasable with current car designs? | No — traces always remain |
| Encryption on the BYD Seal’s stored data | Zero |
| Countries now investigating car data collection | Australia, EU members, Poland |
🚗 It's Not Just BYD
Okay but seriously — before anyone goes “well that’s a Chinese car, what do you expect” — Marchand specifically said the hardware architecture in BYD’s TCU is broadly similar to what you’d find in other brands. This isn’t a BYD problem. This is an every-car-built-after-2015 problem.
- Poland banned Chinese vehicles from military facilities in February 2026 over data collection fears
- Australia’s privacy commissioner launched a landmark investigation into several major car brands for collecting everything from location data to in-cabin biometrics (cameras watching you inside the car)
- GDPR technically requires anonymization before manufacturers transmit data, but the data sitting on the car’s local chip? Nobody’s regulating that.
The Australian Signals Directorate literally told people to “carefully review privacy and data collection policies before buying a connected vehicle.” Which is like telling someone to read 400 pages of legalese before they test drive a Corolla.
💬 What the Security Community Is Saying
Marchand called the TCU “more than a device — it was a data archive.” And honestly, that undersells it. It’s a black box that remembers everything and forgets nothing, even after the car is dead and sold for scrap.
The Office of the Australian Information Commissioner put it this way: “The collection of location data enables the creation of a detailed picture of a vehicle’s movements, which can result in serious threats to an individual’s privacy and safety.”
Translation: someone can buy your junked car’s brain for $30 online and know where you lived, worked, parked at 2am, and how fast you were going when you crashed.
🛠️ Why Factory Resets Don't Actually Work
Here’s the ugly truth about trying to wipe your car:
- One factory reset = removes some surface-level data from the infotainment screen
- Two factory resets = clears most personal data from the infotainment system (most, not all)
- The TCU chip itself = basically impossible to wipe without physically destroying it
The issue is architectural. Cars use NAND flash memory (same as your phone), and when you “delete” something on NAND, the data doesn’t actually disappear — the system just marks that space as available for future use. Until something new overwrites it, the old data sits there, recoverable by anyone with a $20 chip reader and some patience.
Marchand’s verdict: “A complete memory wipe is not feasible with current architectures.”
So basically, the car industry shipped millions of rolling surveillance devices with no self-destruct button. Cool.
Cool. Your Dead Car Is Snitching From the Junkyard. Now What the Hell Do We Do? (⊙_⊙)

🕳️ The Junkyard Intelligence Broker
Salvage yards sell TCUs and infotainment units online for $20-$80. Most contain full GPS history, WiFi passwords, paired phone contacts, and sometimes even saved home addresses. Buying a few, extracting the data, and building anonymized datasets of traffic patterns, popular locations, and movement corridors creates a product that urban planners, real estate investors, and delivery route optimizers would pay for.
Example: A 24-year-old data analyst in Kraków, Poland buys 50 TCUs from local salvage yards at ~$30 each ($1,500 total). Extracts GPS corridor data, anonymizes it, and sells “real-world traffic pattern datasets” to a logistics startup optimizing last-mile delivery routes. Charges €500 per city dataset.
Timeline: First dataset ready in 2 weeks. First sale within 30 days. Scalable until car manufacturers start encrypting storage — which, at their current pace, gives you about 3-4 years.
🔧 The Pre-Sale Wipe Service
Dealerships don’t wipe cars properly. Private sellers definitely don’t. There is currently NO widely-known consumer service that physically extracts and destroys the data on a car’s TCU and infotainment NAND chips before resale. The person who builds a mobile “car data destruction” service — showing up with a chip reader, proving what data exists, then physically overwriting or destroying the chips — has a market of every privacy-conscious car seller and every dealership that doesn’t want a lawsuit.
Example: A 28-year-old mobile mechanic in Melbourne, Australia sees the OAIC investigation making headlines. Sets up “CarWipe” as a mobile service, charges AUD $150 per vehicle. Partners with three used car dealerships who add it as a line item. Does 8 cars/day on weekends.
Timeline: First paying customer within 1 week of local Facebook ads. Dealership partnerships within 45 days. Burns out or franchises within 6 months — either way, profitable from week 2.
📡 The Stalker-Proof Audit Tool
Domestic violence orgs, journalists, and anyone fleeing a bad situation need to know: does my car still broadcast my location? Does my ex’s old Bluetooth pairing still connect? Are there active tracking subscriptions I don’t know about? Build a simple open-source tool (or even a checklist app) that walks someone through every data touchpoint in their specific car model — paired devices, active subscriptions, saved locations, connected accounts. Monetize through donations, sponsorships from privacy orgs, or a paid “deep scan” tier.
Example: A 22-year-old CS student in São Paulo, Brazil builds a GitHub tool that reads OBD-II port data and flags active connections, paired devices, and stored WiFi networks. A domestic violence nonprofit in Brazil shares it. 4,000 GitHub stars in a month. Gets hired by a car security startup.
Timeline: MVP (basic version) built in 1 weekend using existing OBD-II libraries. First real users within 2 weeks via Reddit r/privacy. Career-changing opportunity within 60 days.
🎰 The Repo & Rental Fleet Data Play
Rental car companies and repo lots cycle through hundreds of vehicles per month. Every single one contains the previous driver’s data — home address, work address, favorite stops, phone contacts synced via Bluetooth. These companies face MASSIVE liability if that data leaks. The play: approach fleet managers with a compliance audit showing exactly what data their vehicles are leaking, then sell them a quarterly wipe-and-certify contract. They’ll pay because the alternative is a class-action lawsuit.
Example: A 30-year-old IT consultant in Dubai approaches a rental car company managing 2,000 vehicles. Demonstrates that 15 cars in their lot still have previous renters’ home addresses saved. Signs a AED 200,000/year ($54K) contract to audit and wipe quarterly.
Timeline: First demo meeting within 2 weeks (just bring one of their own cars’ data as proof). Contract signed within 45 days. Recurring revenue from day one. Scales to every rental company in the region.
🪟 The Insurance Fraud Detector
Car GNSS logs record speed, location, and timestamps with precision. Insurance companies currently pay investigators to verify accident claims manually. A service that purchases wrecked car TCUs from salvage yards and cross-references the GPS/speed data against insurance claims could flag fraudulent reports — wrong location, impossible speeds, timeline mismatches. Insurance companies would pay per verified report because each fraud claim they catch saves them $10K-$50K.
Example: A 26-year-old forensics grad in Warsaw, Poland partners with a local salvage yard. Buys TCUs from 20 crashed cars, extracts GNSS data, and approaches a regional insurer with 3 cases where the claimed accident location doesn’t match the GPS data. Gets a pilot contract at PLN 2,000 (~$500) per verified report.
Timeline: First batch of data extracted in 1 week. First insurer meeting in 3 weeks. Pilot contract within 60 days. This one has legs — insurance fraud investigation is a billion-dollar industry and nobody’s using junkyard data yet.
🛠️ Follow-Up Actions
| Step | Action |
|---|---|
| 1 | Read the full Quarkslab teardown blog post — it walks through the hardware extraction step by step |
| 2 | Check your own car: go to Settings → Privacy → Connected Services and disable everything you don’t actively use |
| 3 | Before selling any car: do TWO factory resets (not one), unpair all Bluetooth devices, delete all saved locations, and sign out of every connected account |
| 4 | Look into OBD-II diagnostic tools — cheap USB readers ($15) can show you what your car is broadcasting |
| 5 | If you’re buying a used car: assume the previous owner’s data is on it. Check paired devices and saved addresses before connecting your own phone |
Quick Hits
| Want to… | Do this |
|---|---|
| Plug in a $15 OBD-II reader and check paired devices, saved WiFi, stored locations | |
| Two factory resets + unpair all Bluetooth + delete saved addresses + sign out of connected apps | |
| Read Quarkslab’s full blog post with photos and methodology | |
| Follow the Australian OAIC investigation — they’re naming brands soon | |
| Check the EFF’s connected car guide for what manufacturers can and can’t do with your data |
Your car remembers every place you’ve ever been. The junkyard doesn’t care who asks.
!