Your Dead Car Remembers Every Place You’ve Ever Been — And Nobody Wipes It
A researcher pulled a $30 computer chip from a junked BYD and found every GPS coordinate the car had ever visited — from a factory in China to a wreck in Poland. Completely unencrypted. Just sitting there.
A single salvage-yard chip contained the car’s ENTIRE location history — factory to grave — in plaintext. No password. No encryption. Every modern car does this.
Romain Marchand, a security researcher at Paris-based firm Quarkslab, bought a telematic control unit (basically a tiny computer that handles your car’s internet connection) from a Polish junkyard. He popped open the flash memory, pulled out the Linux file system, and found… everything. Every GPS ping. Every route. The car’s full life story from Shenzhen to London to its final resting place in Warsaw. None of it encrypted. None of it wiped. Just vibing on a dead circuit board in a scrapyard.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| TCU (Telematic Control Unit) | A tiny computer inside your car that connects to the internet, tracks GPS, and logs everything |
| NAND flash memory | The same type of storage in your phone — keeps data even when power is off |
| Plaintext | Not encrypted. Anyone who opens it can read it, like a Word doc sitting on a desktop |
| Salvage yard | Where cars go to die. People buy parts from wrecked vehicles |
| Linux file system | Your car runs Linux (yes, the same free operating system hackers love) |
🔍 What Exactly Did He Find?
So here’s the wild part. Marchand didn’t hack anything. He literally just read the storage chip like you’d read a USB drive. What was on it:
- Complete GPS location history — every single place the car had been, from the day it rolled off the assembly line in China
- System configuration data — how the car’s software was set up
- Event logs — timestamps of when things happened inside the car’s systems
- Network connection records — what the car was talking to and when
The BYD’s journey was mapped perfectly: factory in Shenzhen → shipped to UK → driven around London → eventually wrecked and scrapped in Poland. All on one little chip. Source: iTnews
📊 The Receipts
| What | Details |
|---|---|
| Researcher | Romain Marchand, R&D engineer at Quarkslab (Paris) |
| Car tested | BYD electric vehicle (scrapped in Poland) |
| Data found | Full GPS history, system logs, network configs |
| Encryption used | Zero. Absolutely none. Plaintext everything |
| Affected brands | Not just BYD — the hardware architecture is common across the entire auto industry |
| Cost of the chip | Salvage yard prices. We’re talking under $50 for a used TCU |
🚨 Why This Is Worse Than You Think
This isn’t a BYD problem. Marchand specifically pointed out that the same type of hardware and storage setup exists across manufacturers. Your Toyota, your Tesla, your BMW — they all have TCUs logging location data to flash memory.
And here’s what makes it truly cooked: nobody wipes this data. Ever.
- When you sell your car, the dealer doesn’t touch it
- When the car gets wrecked, the scrapyard doesn’t care
- When someone buys parts from the wreck, that chip is just… there
- Your ex, your stalker, a random stranger at a junkyard — they can all pull your entire movement history
I mean, we freak out about phone tracking. We put tape over laptop cameras. But your CAR has been quietly recording a perfect map of your entire life and nobody even thinks about it.
💬 What the Security Community Is Saying
The response has been a mix of “obviously” from car security researchers and “WHAT” from everyone else:
- Auto security experts say this has been a known issue for years but manufacturers have zero incentive to fix it — encryption costs money and nobody’s been sued over it yet
- Privacy advocates are pointing out that GDPR technically requires data deletion, but good luck enforcing that on a car that’s been crushed into a metal cube
- Right-to-repair folks see a double edge: the same openness that lets you fix your car also exposes your data
- Some researchers note that rental cars and fleet vehicles are even worse — they cycle through hundreds of drivers, each leaving a GPS breadcrumb trail
⚙️ The Bigger Picture: Cars as Spy Devices
This fits into a growing pattern. The Mozilla Foundation found in 2023 that cars are the worst category of consumer product for privacy — worse than smart speakers, worse than phones, worse than everything. Every major automaker collects data about driving behavior, location, and even biometric info in some cases.
But the twist here is that it’s not about what manufacturers do with YOUR data while you own the car. It’s about what happens AFTER. The data just… persists. On hardware that gets sold to strangers. In countries with different privacy laws. Forever.
Your phone has a factory reset button. Your car doesn’t.
Cool. Your car’s a narc that never shuts up, even from the grave. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

🕳️ The Junkyard Goldmine — Forensic Data Recovery Service
Most people selling or scrapping a car have zero clue their location history is sitting on a chip worth less than a pizza. Offer a pre-sale “digital wipe” service to used car dealerships, fleet companies, and individual sellers. You buy a cheap NAND flash reader, learn the Linux file system layout for common TCU brands (most run embedded Linux), and charge $150-300 per vehicle to securely erase telematic data before resale.
Example: A 24-year-old electronics student in Krakow, Poland contacts three local salvage yards and offers to wipe TCUs before they’re resold on eBay. She charges the yards €50 per unit for the service and processes 8-10 units a day, bringing in €400-500/day while the yards get to advertise “data-sanitized parts.”
Timeline: First client in 3-5 days (salvage yards move fast). Plateau at 6-8 weeks when you’ve hit every yard in your region and need to scale to remote mail-in service.
🎣 The Stalker-Proof Audit — Privacy Reports for Car Buyers
Flip the script. Instead of wiping data, READ it — for the buyer. Offer a “vehicle privacy audit” where you pull the TCU from a used car before purchase and generate a report showing what data the previous owner left behind. Domestic violence survivors, public figures, and anyone buying a used car from a sketchy Craigslist ad would pay real money to know if the car they’re buying has been tracking them to the previous owner’s cloud dashboard. Partner with domestic violence shelters and women’s safety organizations who can refer clients.
Example: A 28-year-old IT technician in Melbourne, Australia partners with two DV (domestic violence) shelters. She offers free audits for shelter referrals and charges $200 for commercial clients. Within a month she’s doing 3-4 audits per week through word of mouth, pulling in $2,400-3,200/month as a side hustle.
Timeline: First paying client in 1-2 weeks through shelter partnerships. Hits steady income in 4-6 weeks. Long runway — this problem isn’t going anywhere.
📡 The Fleet Data Broker — Sell Compliance to Companies
Big companies with vehicle fleets (delivery services, construction, rental agencies) are sitting on a GDPR and CCPA time bomb. Every car they sell or scrap leaks employee and customer location data. Build a compliance checklist and pitch fleet managers on a monthly data-disposal contract. You don’t even need to touch the cars — train their existing mechanics to do the wipe using a process you design, and charge a licensing fee for the procedure + quarterly audits.
Example: A 31-year-old cybersecurity contractor in Berlin, Germany writes a 12-page TCU data disposal guide, gets it reviewed by a GDPR lawyer friend, and cold-emails 40 fleet rental companies. Three sign up at €800/month for the compliance package. That’s €2,400/month for basically a PDF and a quarterly Zoom call.
Timeline: First contract in 2-3 weeks (fleet managers respond fast to liability threats). Scales indefinitely — there are thousands of fleet companies per country.
🪟 The Patch Window Play — Sell TCUs Before Manufacturers Wake Up
Right now, used TCUs sell on eBay and AliExpress for $20-80. Most buyers want them for car repairs. But here’s the angle nobody’s running: security researchers, journalists, and privacy advocates ALSO want these — specifically the ones with data still on them. Researchers need real-world samples to study. Before manufacturers start encrypting or wiping (which could happen once this research gets enough press), buy TCUs from salvage yards in bulk at scrap prices ($5-15 each) and resell them as “research-grade automotive telematic units with intact data” for $100-200 each on eBay or direct to university labs.
Example: A 22-year-old in São Paulo, Brazil hits up three local junkyards, buys 50 TCUs at R$30 each (about $6), lists them as “automotive security research hardware” on international marketplaces. Sells 20 units in the first month at $150 each to European university labs. That’s $3,000 from a $300 investment.
Timeline: First sale in 5-7 days. Window closes in 3-6 months as manufacturers respond. Move fast.
🔧 The Open-Source Wipe Tool — Build It, Own the Niche
Nobody has built a simple, free, open-source tool that connects to common TCU chips and securely erases location data. The technical barrier is surprisingly low — most TCUs run embedded Linux and the data sits on standard NAND flash. Build it on GitHub, document it well, and become THE name in automotive data privacy. Monetize through consulting, speaking gigs, and the premium “enterprise” version with audit logging and compliance reports. The tool is free. The expertise is what people pay for.
Example: A 26-year-old hardware hacker in Bangalore, India forks an existing NAND flash tool, adds TCU-specific file system detection and secure erase, publishes on GitHub with a slick README. Gets 2,000 stars in a month. A German car rental company contacts her for a $5,000 consulting contract to implement it across their fleet.
Timeline: Tool MVP in 1-2 weeks. First consulting inquiry in 3-4 weeks after HN/Reddit traction. Long-term play — the tool builds your reputation indefinitely.
🛠️ Follow-Up Actions
| Step | Action | Resource |
|---|---|---|
| 1 | Read Marchand’s full research | iTnews article |
| 2 | Learn NAND flash reading basics | flashrom wiki |
| 3 | Study common TCU hardware | Search eBay for “telematic control unit” to see what’s available |
| 4 | Understand GDPR data deletion rules | GDPR Article 17 |
| 5 | Check Mozilla’s car privacy ratings | Privacy Not Included: Cars |
Quick Hits
| Want to… | Do this |
|---|---|
| Look up your car’s TCU model + search “[model] teardown” on YouTube | |
| Ask your dealer about “telematic data reset” — most won’t know what you mean, which tells you everything | |
| Install Wireshark on your home network and watch your car’s WiFi traffic | |
| Buy one used TCU on eBay, a $15 NAND reader, and practice on a dead unit first | |
| Read Mozilla’s Privacy Not Included car report |
Your car knows where you slept last Tuesday. And when it dies, it tells anyone who asks.
!