A guy named Romain Marchand who works at a Paris security firm called Quarkslab wanted to see what was inside a car’s telematic unit. So he bought a wrecked BYD Seal’s TCU from a salvage yard in Poland.

He cracked it open, found a Qualcomm chip running Linux (yes, your car runs Linux), soldered tiny wires directly onto the memory chip, and dumped everything stored inside.

What he found was bonkers. The chip had GPS coordinates logged multiple times per second — not occasional pings, but dense, constant tracking. This thing was basically a black box flight recorder, but for a car.

By reading the GPS logs in order, Marchand literally reconstructed the car’s complete biography:

• Born in China — GPS shows the car leaving the BYD factory
• Shipped across the world — movement data showing transit to the UK
• Daily life in England — every commute, every grocery run, every late-night errand
• The crash in Poland — GPS points clustering at one location, same spot, over and over
• Junked — final resting place in a Polish salvage yard

And here’s where it got absolutely wild. Marchand took the crash location and date, searched Facebook, and found a public post showing photos of the exact accident. The crash images matched the GPS data perfectly.

One tiny module. One search. The entire life of a stranger — reconstructed.

BYD said it “attaches great importance to user privacy” and claims it complies with security regulations. They said location data is collected “solely for the purpose of providing services to the user” and that “no historical data is stored on our cloud servers.”

Which… technically might be true about the cloud. But the point is the data lives on the car itself. In the chip. Forever. Unencrypted. And when that car gets wrecked and sold for parts, all that data goes with it.

Marchand specifically said the hardware inside that BYD is broadly similar to what you’ll find in other brands. This isn’t a Chinese car thing — it’s a car thing.

Security researcher Ken Munro pointed out this could break EU laws (specifically radio equipment rules that require personal data safeguards). But legacy systems and cost-cutting mean most cars on the road today probably have the same problem.

As Hackaday put it: “It’s bad enough that personal info can be scraped off secondhand hard drives. Now we’ve got to worry about what happens to our cars after they get hauled off to the junkyard.”

• Security community: “This is terrifying but not surprising. We’ve known cars are rolling surveillance devices, but seeing the actual data dump makes it real.”
• Privacy advocates: Pushing for mandatory data wipe requirements before vehicles can be legally scrapped or resold
• Auto industry: Mostly silent. Nobody wants to admit their cars are doing this.
• Junkyard workers: Some are reportedly already being approached by people wanting to buy specific TCUs from specific car models. (Yeah, think about that for a second.)

There’s no standardized service for scrubbing personal data from cars before resale or scrapping. Dealerships don’t do it. Junkyards definitely don’t. But EU regulations are pushing toward requiring it.

Get ahead of this. Learn which modules store data (TCU, infotainment, dashcams, OBD ports), figure out the wipe procedures for major brands, and offer it as a service to dealerships, fleet managers, and rental car companies who are about to face compliance headaches.

Example: A cybersecurity freelancer in Estonia started offering “digital detox” services for ex-fleet vehicles being auctioned by Europcar. Charges €150 per car, processes 20+ cars per auction batch. Fleet companies pay happily because GDPR fines would be way worse.

Timeline: First paying client within 3-4 weeks if you cold-email rental/fleet companies in your country

Divorce lawyers, insurance fraud investigators, and corporate litigation firms would pay serious money for someone who can extract and map GPS data from vehicles. This research just proved you can reconstruct someone’s entire movement history from a junkyard part.

Position yourself as a “vehicle digital forensics” contractor. You don’t need a lab — a soldering station, some open-source NAND dump tools, and Quarkslab’s methodology are publicly documented.

Example: A private investigator in Lisbon added “automotive data recovery” to his services after reading the Quarkslab report. His first case: an insurance company hired him to prove a stolen car claim was fraudulent by showing the GPS logs contradicted the owner’s story. Paid €2,800 for 4 hours of work.

Timeline: Build a portfolio case (buy a cheap TCU from a junkyard, map it) then pitch to PI firms and law offices

Security researchers, journalists, and academics need real-world TCUs for testing and reporting. But they don’t want to drive to Polish junkyards. You could source them in bulk from salvage yards (they basically throw these things away), test that they contain readable data, and resell on eBay or direct to researchers.

A working TCU with verifiable data on it is worth 10x-50x what the junkyard charges for it because of the labor and access involved.

Example: A university student in Krakow (literally lives near auto salvage yards) started pulling TCUs from wrecked cars, testing them with basic NAND tools, and listing them on eBay as “automotive security research modules.” Sells them for €80-200 each, cost of acquisition: €5-15 per unit.

Timeline: First sale within 2 weeks. Scale as demand grows from the cybersecurity conference circuit.

Right now, if you Google “how to delete personal data from car before selling,” you get garbage. Generic advice like “factory reset the infotainment.” Nobody mentions the TCU, the NAND chip, or the fact that a factory reset often doesn’t touch GPS logs at all.

Write the definitive guide. Make it brand-specific (Toyota, Tesla, BYD, BMW, Ford — each has different systems). Sell it as a $19 ebook or Gumroad download. Or build a simple website with a free version and paid premium brand-specific guides.

Example: A tech writer in Nairobi built a Notion-based guide called “CarDataWipe” covering 15 popular brands sold in East Africa. Shared it on Reddit’s r/privacy and local Facebook car groups. 400+ sales at $12 each in the first month. Now being translated into Swahili and French.

Timeline: Research and write in 1-2 weeks, first sales same week you launch

Nobody rates cars on how well they protect your data. Mozilla’s Privacy Not Included project already proved people care about this — their car privacy report went mega-viral. But nobody has made a searchable, updated database where you can type in a car model and see exactly what data it collects, where it’s stored, and whether it’s encrypted.

Build it. Monetize with affiliate links to privacy tools, sponsored listings from privacy-focused car brands (they exist), and a premium API for used car platforms like Carvana or AutoTrader.

Example: Two developers in Berlin launched a site rating smart home devices by privacy. Applied the same model to cars after the Quarkslab report. The car version got 3x more traffic in its first week than the smart home version ever did. Ad revenue covering hosting costs by week two.

Timeline: MVP (minimum working version of the site) in 2-3 weeks using a simple database and static site generator