Your Dead Car Remembers Every Place You've Ever Been — And Nobody Wipes It

:automobile: Your Dead Car Remembers Every Place You’ve Ever Been — And Nobody Wipes It

A researcher pulled a $30 computer chip from a junked BYD and found every GPS coordinate the car had ever visited — from a factory in China to a wreck in Poland. Completely unencrypted. Just sitting there.

A single salvage-yard chip contained the car’s ENTIRE location history — factory to grave — in plaintext. No password. No encryption. Every modern car does this.

Romain Marchand, a security researcher at Paris-based firm Quarkslab, bought a telematic control unit (basically a tiny computer that handles your car’s internet connection) from a Polish junkyard. He popped open the flash memory, pulled out the Linux file system, and found… everything. Every GPS ping. Every route. The car’s full life story from Shenzhen to London to its final resting place in Warsaw. None of it encrypted. None of it wiped. Just vibing on a dead circuit board in a scrapyard.

Car Tracking


🧩 Dumb Mode Dictionary
Term What It Actually Means
TCU (Telematic Control Unit) A tiny computer inside your car that connects to the internet, tracks GPS, and logs everything
NAND flash memory The same type of storage in your phone — keeps data even when power is off
Plaintext Not encrypted. Anyone who opens it can read it, like a Word doc sitting on a desktop
Salvage yard Where cars go to die. People buy parts from wrecked vehicles
Linux file system Your car runs Linux (yes, the same free operating system hackers love)
🔍 What Exactly Did He Find?

So here’s the wild part. Marchand didn’t hack anything. He literally just read the storage chip like you’d read a USB drive. What was on it:

  • Complete GPS location history — every single place the car had been, from the day it rolled off the assembly line in China
  • System configuration data — how the car’s software was set up
  • Event logs — timestamps of when things happened inside the car’s systems
  • Network connection records — what the car was talking to and when

The BYD’s journey was mapped perfectly: factory in Shenzhen → shipped to UK → driven around London → eventually wrecked and scrapped in Poland. All on one little chip. Source: iTnews

📊 The Receipts
What Details
Researcher Romain Marchand, R&D engineer at Quarkslab (Paris)
Car tested BYD electric vehicle (scrapped in Poland)
Data found Full GPS history, system logs, network configs
Encryption used Zero. Absolutely none. Plaintext everything
Affected brands Not just BYD — the hardware architecture is common across the entire auto industry
Cost of the chip Salvage yard prices. We’re talking under $50 for a used TCU
🚨 Why This Is Worse Than You Think

This isn’t a BYD problem. Marchand specifically pointed out that the same type of hardware and storage setup exists across manufacturers. Your Toyota, your Tesla, your BMW — they all have TCUs logging location data to flash memory.

And here’s what makes it truly cooked: nobody wipes this data. Ever.

  • When you sell your car, the dealer doesn’t touch it
  • When the car gets wrecked, the scrapyard doesn’t care
  • When someone buys parts from the wreck, that chip is just… there
  • Your ex, your stalker, a random stranger at a junkyard — they can all pull your entire movement history

I mean, we freak out about phone tracking. We put tape over laptop cameras. But your CAR has been quietly recording a perfect map of your entire life and nobody even thinks about it.

💬 What the Security Community Is Saying

The response has been a mix of “obviously” from car security researchers and “WHAT” from everyone else:

  • Auto security experts say this has been a known issue for years but manufacturers have zero incentive to fix it — encryption costs money and nobody’s been sued over it yet
  • Privacy advocates are pointing out that GDPR technically requires data deletion, but good luck enforcing that on a car that’s been crushed into a metal cube
  • Right-to-repair folks see a double edge: the same openness that lets you fix your car also exposes your data
  • Some researchers note that rental cars and fleet vehicles are even worse — they cycle through hundreds of drivers, each leaving a GPS breadcrumb trail
⚙️ The Bigger Picture: Cars as Spy Devices

This fits into a growing pattern. The Mozilla Foundation found in 2023 that cars are the worst category of consumer product for privacy — worse than smart speakers, worse than phones, worse than everything. Every major automaker collects data about driving behavior, location, and even biometric info in some cases.

But the twist here is that it’s not about what manufacturers do with YOUR data while you own the car. It’s about what happens AFTER. The data just… persists. On hardware that gets sold to strangers. In countries with different privacy laws. Forever.

Your phone has a factory reset button. Your car doesn’t.


Cool. Your car’s a narc that never shuts up, even from the grave. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

Junkyard

🕳️ The Junkyard Goldmine — Forensic Data Recovery Service

Most people selling or scrapping a car have zero clue their location history is sitting on a chip worth less than a pizza. Offer a pre-sale “digital wipe” service to used car dealerships, fleet companies, and individual sellers. You buy a cheap NAND flash reader, learn the Linux file system layout for common TCU brands (most run embedded Linux), and charge $150-300 per vehicle to securely erase telematic data before resale.

:brain: Example: A 24-year-old electronics student in Krakow, Poland contacts three local salvage yards and offers to wipe TCUs before they’re resold on eBay. She charges the yards €50 per unit for the service and processes 8-10 units a day, bringing in €400-500/day while the yards get to advertise “data-sanitized parts.”

:chart_increasing: Timeline: First client in 3-5 days (salvage yards move fast). Plateau at 6-8 weeks when you’ve hit every yard in your region and need to scale to remote mail-in service.

🎣 The Stalker-Proof Audit — Privacy Reports for Car Buyers

Flip the script. Instead of wiping data, READ it — for the buyer. Offer a “vehicle privacy audit” where you pull the TCU from a used car before purchase and generate a report showing what data the previous owner left behind. Domestic violence survivors, public figures, and anyone buying a used car from a sketchy Craigslist ad would pay real money to know if the car they’re buying has been tracking them to the previous owner’s cloud dashboard. Partner with domestic violence shelters and women’s safety organizations who can refer clients.

:brain: Example: A 28-year-old IT technician in Melbourne, Australia partners with two DV (domestic violence) shelters. She offers free audits for shelter referrals and charges $200 for commercial clients. Within a month she’s doing 3-4 audits per week through word of mouth, pulling in $2,400-3,200/month as a side hustle.

:chart_increasing: Timeline: First paying client in 1-2 weeks through shelter partnerships. Hits steady income in 4-6 weeks. Long runway — this problem isn’t going anywhere.

📡 The Fleet Data Broker — Sell Compliance to Companies

Big companies with vehicle fleets (delivery services, construction, rental agencies) are sitting on a GDPR and CCPA time bomb. Every car they sell or scrap leaks employee and customer location data. Build a compliance checklist and pitch fleet managers on a monthly data-disposal contract. You don’t even need to touch the cars — train their existing mechanics to do the wipe using a process you design, and charge a licensing fee for the procedure + quarterly audits.

:brain: Example: A 31-year-old cybersecurity contractor in Berlin, Germany writes a 12-page TCU data disposal guide, gets it reviewed by a GDPR lawyer friend, and cold-emails 40 fleet rental companies. Three sign up at €800/month for the compliance package. That’s €2,400/month for basically a PDF and a quarterly Zoom call.

:chart_increasing: Timeline: First contract in 2-3 weeks (fleet managers respond fast to liability threats). Scales indefinitely — there are thousands of fleet companies per country.

🪟 The Patch Window Play — Sell TCUs Before Manufacturers Wake Up

Right now, used TCUs sell on eBay and AliExpress for $20-80. Most buyers want them for car repairs. But here’s the angle nobody’s running: security researchers, journalists, and privacy advocates ALSO want these — specifically the ones with data still on them. Researchers need real-world samples to study. Before manufacturers start encrypting or wiping (which could happen once this research gets enough press), buy TCUs from salvage yards in bulk at scrap prices ($5-15 each) and resell them as “research-grade automotive telematic units with intact data” for $100-200 each on eBay or direct to university labs.

:brain: Example: A 22-year-old in São Paulo, Brazil hits up three local junkyards, buys 50 TCUs at R$30 each (about $6), lists them as “automotive security research hardware” on international marketplaces. Sells 20 units in the first month at $150 each to European university labs. That’s $3,000 from a $300 investment.

:chart_increasing: Timeline: First sale in 5-7 days. Window closes in 3-6 months as manufacturers respond. Move fast.

🔧 The Open-Source Wipe Tool — Build It, Own the Niche

Nobody has built a simple, free, open-source tool that connects to common TCU chips and securely erases location data. The technical barrier is surprisingly low — most TCUs run embedded Linux and the data sits on standard NAND flash. Build it on GitHub, document it well, and become THE name in automotive data privacy. Monetize through consulting, speaking gigs, and the premium “enterprise” version with audit logging and compliance reports. The tool is free. The expertise is what people pay for.

:brain: Example: A 26-year-old hardware hacker in Bangalore, India forks an existing NAND flash tool, adds TCU-specific file system detection and secure erase, publishes on GitHub with a slick README. Gets 2,000 stars in a month. A German car rental company contacts her for a $5,000 consulting contract to implement it across their fleet.

:chart_increasing: Timeline: Tool MVP in 1-2 weeks. First consulting inquiry in 3-4 weeks after HN/Reddit traction. Long-term play — the tool builds your reputation indefinitely.

🛠️ Follow-Up Actions
Step Action Resource
1 Read Marchand’s full research iTnews article
2 Learn NAND flash reading basics flashrom wiki
3 Study common TCU hardware Search eBay for “telematic control unit” to see what’s available
4 Understand GDPR data deletion rules GDPR Article 17
5 Check Mozilla’s car privacy ratings Privacy Not Included: Cars

:high_voltage: Quick Hits

Want to… Do this
:magnifying_glass_tilted_left: Check if YOUR car leaks data Look up your car’s TCU model + search “[model] teardown” on YouTube
:shield: Wipe before selling your car Ask your dealer about “telematic data reset” — most won’t know what you mean, which tells you everything
:mobile_phone: See what your car sends home Install Wireshark on your home network and watch your car’s WiFi traffic
:money_bag: Start the privacy wipe business Buy one used TCU on eBay, a $15 NAND reader, and practice on a dead unit first
:open_book: Go deeper on car surveillance Read Mozilla’s Privacy Not Included car report

Your car knows where you slept last Tuesday. And when it dies, it tells anyone who asks.

2 Likes

That’s a cool educating post, but being a regular mortal citizen, why this should bother me?

Are there any dangerous consequences by gps-history leakage?