A Scrapped BYD Tracked Its Own Journey From China to Poland — Nobody Wiped It
a security researcher bought a $30 car part from a Polish junkyard and reconstructed the vehicle’s entire life story — including finding the crash on Facebook
90% of new cars collect driving data sold to third parties. exactly 0% of scrapped cars have their data properly wiped. a researcher just proved why that’s terrifying.
Romain Marchand at Quarkslab (Paris security firm) bought a telematic control unit — basically the little computer box that handles your car’s cellular connection — from a salvage yard in Poland. What he pulled off that chip reads like a damn detective novel.

🧩 Dumb Mode Dictionary
| Term | Translation |
|---|---|
| TCU (Telematic Control Unit) | The little computer box in your car that talks to cell towers and sends data back to the manufacturer |
| ECU (Electronic Control Unit) | Any of the dozens of mini-computers scattered throughout your car controlling brakes, engine, windows, etc. |
| NAND storage | The same type of memory chip in your phone — stores data even when power is off |
| Factory reset | When you wipe your phone clean. Except for cars, it only erases SOME of the data |
| Quarkslab | A French security research company that tears apart hardware to find vulnerabilities |
| BYD | Chinese car manufacturer, now the world’s largest EV maker |
🔍 What He Actually Found on a $30 Junkyard Part
Marchand cracked open the TCU from a BYD Seal (electric sedan) and extracted its Linux file system. What was sitting there, totally unencrypted:
- GPS coordinates logging the car’s entire journey — from the factory in Shenzhen, China → shipped to the UK → driven around British roads → crashed → scrapped in Poland
- System configuration data exposing how the car’s internals were set up
- Accident location coordinates — which he then cross-referenced with Facebook and found a post showing the exact flipped BYD Seal at the exact location
The car was dead. The data was very much alive.
“The telematics unit was more than a device; it was a data archive.” — Romain Marchand, Quarkslab
📊 The Receipts — By the Numbers
| Stat | Number |
|---|---|
| Cars on US roads with data collection | ~280 million |
| New cars collecting detailed driving data | ~90% |
| Cars with proper data wipe at resale | effectively 0% |
| ECUs in a modern vehicle | 70-150+ |
| ECUs with a user-accessible reset | 1-3 (infotainment only) |
| Countries banning Chinese cars from military zones | Poland, Belgium, others |
Source: iTnews investigation and privacy regulation analysis
😤 Why You Can't Just 'Factory Reset' Your Car
here’s where it gets ugly. your phone? you can wipe it. your laptop? you can nuke the drive. your car?
- the infotainment screen has a “reset” button that clears your saved addresses and bluetooth pairings
- but the TCU? no user interface. no reset button. just a chip soldered to a board, silently logging everything
- your car has 70 to 150+ separate computers inside it. the factory reset touches maybe 2-3 of them
- the other 67-147 just… keep everything. forever. until someone physically rips them out and reads the chip
and this isn’t a BYD problem. Marchand confirmed the hardware architecture is “broadly similar to what can be found in other brands.” your Toyota, your BMW, your Ford — same deal.
🌍 Governments Are Starting to Panic
- Poland (Feb 2026): Banned Chinese-made vehicles from military facilities over data collection fears — location, video, audio
- Australia’s ASD: Now recommending drivers “disable vehicle data sharing where possible”
- Australia’s OAIC: Launched an investigation into major car brands for potentially violating the Privacy Act
- Oregon (2025): Updated privacy law to cover motor vehicle manufacturers processing consumer data
- EU: Still writing angry letters about it (classic)
but here’s the thing nobody’s saying out loud: even if they regulate NEW cars, there are hundreds of millions of cars already on the road with years of unwiped data sitting on chips. and every single one of those cars will eventually be sold, scrapped, or shipped to a developing country where salvage yards sell parts to anyone with cash.
🗣️ What the Timeline's Saying
the reactions are… predictable but still wild:
“Your car knows where you sleep, where you work, where your kids go to school, where your side piece lives. And when you sell it? The next owner gets all of that for free.” — HN commenter
“Navigation systems have always stored home addresses, favorites, recent destinations. Nobody ever wipes them.” — Slashdot thread
“We’ve been worrying about phone privacy for years while our CARS have been the real surveillance devices this whole time.” — Reddit r/privacy
the scariest part isn’t that the data exists. it’s that the salvage supply chain is GLOBAL. a car scrapped in London can have its parts show up in Lagos, Lahore, or Lima within weeks. and anyone who buys that part gets the digital ghost of whoever drove that car.
Cool. Your Dead Car Just Snitched on You From a Polish Junkyard. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

🕳️ The Junkyard Data Miner
salvage yards sell car parts online for almost nothing. TCUs from wrecked vehicles cost $20-50 on Polish, Lithuanian, and Turkish marketplaces. each one is basically a black box flight recorder of someone’s life.
the play: buy TCUs from salvage marketplaces, extract GPS data and system logs (Marchand published his methodology on Quarkslab’s blog — it’s open knowledge), then offer certified data destruction services to car dealerships and fleet managers. right now there is literally nobody doing this at scale. dealerships don’t even know the problem exists.
Example: 26-year-old hardware tinkerer in Krakow, Poland buys 15 TCUs from local salvage sites, documents the data found on each one (anonymized), creates a horror-show presentation for local dealership chains showing what their trade-ins are leaking. Signs 3 dealerships at €200/month each for ongoing data destruction services.
Timeline: First client within 2 weeks of cold outreach with the demo. Scales to 20+ dealerships in 3 months once one chain signs. Burns out when car manufacturers eventually add remote wipe features — but that’s 3-5 years away minimum.
📡 The Fleet Ghost Tracker
companies with vehicle fleets (delivery, logistics, rental) have a GDPR nightmare sitting in their parking lots. every car they retire still has employee routes, client addresses, delivery patterns stored on chips. one breach = massive fines.
the play: position yourself as a vehicle data compliance auditor. you don’t need to be a lawyer. you need a Qualcomm chip reader, the Quarkslab methodology, and a one-page report template that says “here’s the data we found, here’s your GDPR exposure, here’s what we charge to fix it.” fleet managers will panic-buy this service because the alternative is a €20M fine.
Example: 30-year-old IT contractor in Rotterdam, Netherlands targets mid-size delivery companies with 50-200 vehicles. Pulls data from 3 retired fleet vans as proof-of-concept. The fleet manager sees customer delivery addresses from 2023 still sitting unencrypted on a chip. Signs a €5,000 fleet audit contract on the spot.
Timeline: First paying client in 3 weeks. 10 fleet clients generating €4-8K each within 4 months. Plateau when big consulting firms copy the play — but you’ll have first-mover contracts locked in.
🎣 The Used Car Privacy Report
everyone gets a Carfax report before buying a used car. nobody gets a “data report.” yet.
the play: offer a “Digital Privacy Pre-Purchase Inspection” for used car buyers. for $50-100, you check what data the previous owner left behind — saved wifi passwords, home addresses, paired phone numbers, GPS history. sell it as peace of mind for the buyer AND as a warning about what THEY’LL leave behind when they resell. partner with independent mechanics who already do pre-purchase inspections.
Example: 22-year-old comp-sci student in Lisbon, Portugal partners with 5 independent mechanics. Each mechanic offers the “digital inspection” as a $75 add-on to their regular pre-purchase check. Student does the actual data pull remotely when the mechanic sends photos of the infotainment unit model. 15 inspections/month = €1,125 for basically weekend work.
Timeline: First mechanic partnership in 1 week. 5 partners within a month. Scales to 20-30 shops in 6 months if you build a simple branded report template. This one has long legs — used car sales aren’t going away.
🪟 The Patch Window Flipper
right now, before manufacturers wake up and add remote wipe capabilities, there’s a window where you can buy cheap salvage TCUs, extract interesting (non-personal) data — like proprietary system configurations, firmware versions, undocumented features — and sell that intelligence to independent repair shops who need it to service these cars without dealer software.
the play: right-to-repair is huge right now. independent shops can’t fix modern cars because the software is locked down. but the TCU firmware often contains configuration data, diagnostic protocols, and communication specs that are gold for indie mechanics.
Example: 28-year-old auto electrician in Istanbul, Turkey extracts firmware configs from 20 different BYD TCUs, documents the diagnostic communication protocols, and sells access to a Telegram channel where indie EV repair shops get the specs they need. 200 subscribers at $15/month = $3,000/month.
Timeline: First subscribers within 2 weeks of posting sample data on Turkish auto forums. Grows fast as BYD expands across the Middle East and Africa with zero official repair infrastructure. Closes when BYD opens official service centers — but in Turkey/North Africa that’s years away.
🎰 The Insurance Arbitrage Play
insurance companies are DYING for granular driving data. car manufacturers sell it to them for premium prices. but guess what’s sitting on every scrapped car’s TCU? the same data, for free.
the play: build a small dataset of anonymized driving patterns from salvaged TCUs — acceleration habits, braking frequency, speed patterns by road type, time-of-day usage. sell this as actuarial training data to small/mid-size insurance companies who can’t afford the manufacturer’s data feed. you’re not selling personal info — you’re selling statistical driving behavior patterns at 1/100th the cost.
Example: 24-year-old data science grad in Warsaw, Poland collects anonymized driving telemetry from 100 salvaged TCUs (stripping all identifying GPS coordinates, keeping only speed/acceleration/braking patterns). Packages it as a “European Urban Driving Behavior Dataset” and sells to 3 insurtech startups at €2,000 per dataset license.
Timeline: Dataset assembly takes about a month of weekend salvage yard visits. First sale within 2 months through cold LinkedIn outreach to insurtech CTOs. Repeat sales of updated datasets every quarter. Long runway — insurers always need more data.
🛠️ Follow-Up Actions
| Step | Action |
|---|---|
| 1 | Read Quarkslab’s full teardown methodology — it’s a literal instruction manual |
| 2 | Browse Polish salvage marketplaces (Allegro.pl, OtoMoto parts section) for cheap TCUs to practice on |
| 3 | Learn basic chip reading with a CH341A programmer ($5 on AliExpress) — works on most NAND chips |
| 4 | Check your OWN car’s data — go to Settings → Privacy on your infotainment and see what’s stored |
| 5 | If you’re selling/trading a car: do the factory reset, but know it only covers ~5% of stored data |
| 6 | Follow Privacy4Cars — they’re building tools specifically for vehicle data deletion |
Quick Hits
| Want to… | Do this |
|---|---|
| Go to infotainment → Settings → Privacy/Data → cry | |
| Factory reset infotainment + disconnect battery for 30 min + remove SIM card from TCU | |
| Read Quarkslab’s blog post — free, detailed, step-by-step | |
| CH341A NAND programmer — under $5, reads most car storage chips | |
| Look for a SIM slot in the glovebox or under the center console — if it’s there, your car is phoning home |
your car outlived the relationship, the job, and the apartment lease. but it remembered every address. sleep tight.
!