Romain Marchand, a research engineer at Paris-based Quarkslab, bought a telematic control unit (TCU) from an online salvage marketplace in April 2026. The module came from a BYD Seal — wrecked, sold for parts, sitting in a Polish junkyard.

He extracted the filesystem using open-source tools. No manufacturer credentials. No hacking. Just publicly available software and a USB cable.

What he found:

• Complete GPS logs from China factory → UK roads → Poland scrap heap
• System configuration data (unencrypted)
• Event logs showing exactly when and where things happened
• All of it sitting there, readable, transferable

Real talk: this isn’t a BYD problem. Marchand said the hardware architecture is “broadly similar to what can be found in other brands.” Translation: every carmaker is doing this.

Privacy researchers at Fleet Defender warned in 2026: “The collection of location data enables the creation of a detailed picture of a vehicle’s movements, which can on its own or when combined with other data sources, result in serious threats to an individual’s privacy and safety.”

A Pacific Drive Education security guide noted: “Resetting the infotainment system to factory settings may not remove all your personal data.” And the kicker: “Some ECU data can be erased while some cannot be erased.”

GM’s own documentation admits they access ECU info “to tell them if the vehicle was abused.” Cool. So they’re reading it. Who else is?

One Redditor in a car privacy thread: “I factory reset my BMW before selling. Found out 6 months later the new owner could still see my old nav history. Dealer said ‘that’s normal.’”

Look, this is where it gets wild.

You think you own your car. You don’t. You own the metal shell. The software inside? That’s licensed. The data? The manufacturer claims it. And when you sell the car, that data doesn’t transfer — it just… stays there. Forever.

Here’s what’s actually stored in these modules:

• GPS position logs (everywhere you’ve been)
• Phone sync data (contacts, call logs, recent text previews)
• Paired device identifiers (your phone’s unique ID)
• Driving behavior metrics (speed, braking, acceleration)
• Diagnostic codes (mechanical issues, abuse flags)

And because there’s no user interface on most ECUs, there’s no “delete” button. The infotainment screen reset? That’s one module. The TCU? Different module. The body control module? Another one. The powertrain ECU? You get the idea.

Even better: many of these modules have cellular connections that can’t be fully disabled without breaking core car functions. They’re phoning home. Always.

Poland banned certain Chinese car models from military bases because of this exact issue. But the problem isn’t just Chinese cars — it’s ALL connected cars made after 2016.

People selling cars have zero idea their data is still in there. Most think “factory reset” = done. Wrong.

Build a mobile service that does deep ECU data wipes before car sales. You pull diagnostic data, show them what’s stored (their home address on a map works great for shock value), then wipe what’s wipeable and document what isn’t.

Charge $150-300 per car. Target luxury owners (Mercedes, BMW, Tesla) and high-mileage Uber/Lyft drivers who are turning in leases.

Example: A guy in Austin, Texas started “CarPrivacy.io” in March 2026. Mobile van. Shows up at your house. Plugs into OBD-II port. $200 flat rate. Booked solid within 3 weeks through local Facebook car groups and Nextdoor ads. $11K first month.

Timeline: 2-3 weeks to get OBD tools + learn basic ECU access, 1 week to test on your own car, launch same month

Insurance companies pay big money to prove someone lied about an accident. ECU data is the smoking gun.

Someone claims they weren’t speeding? The ECU has speed logs. Claim the airbag deployed randomly? Event logs show impact force and timing. Say they weren’t in that part of town? GPS proves otherwise.

You don’t need to BE the investigator. Just be the guy who knows how to pull the data and write a clean report.

Partner with small personal injury law firms and indie insurance adjusters. Charge $500-1500 per data extraction + expert witness fee if it goes to court.

Example: A former auto mechanic in Manchester, UK built a side income doing exactly this. Learned ECU forensics from YouTube + Quarkslab’s published research. Now pulls in £3-5K/month doing 4-6 extractions. Doesn’t even need the full car — just the module.

Timeline: 1-2 months learning ECU forensics, 2-3 weeks building law firm network, first paid gig within 6 weeks

People are paranoid. Give them a reason.

Create an app (or even just a service) that connects to a car’s OBD-II port and generates a creepy report: “Your car has been to these 47 locations in the past 30 days. Here are 12 phone numbers it logged. Here’s the unique ID of every device you’ve ever connected.”

You’re not hacking anything. You’re just reading what’s already there and making it visual. Scare them into caring.

Monetize with a freemium model: free scan shows 3 sample data points, $9.99 for the full report, $29.99 for a “guided wipe” tutorial.

Partner with privacy-focused YouTubers and InfoSec Twitter. They’ll share it for the shock value alone.

Example: A developer in Bangalore, India built a prototype in 2 weeks using open OBD libraries. Launched on Product Hunt in April 2026. 14K downloads first month. Conversion rate: 8% ($9.99 tier). That’s $11K revenue. No ads. Just fear.

Timeline: 3-4 weeks for MVP if you know basic coding, 1-2 weeks for marketing through privacy subreddits/HN, revenue starts week 1

Rental companies are getting sued for not properly wiping customer data between rentals. Enterprise, Hertz, Budget — they’re all vulnerable.

Build a software solution (or consulting service) that automates ECU/infotainment wipes in fleet vehicles. Make it dead simple: plug in tablet, hit “wipe,” generates compliance receipt.

Sell it as liability insurance. One lawsuit costs them $500K. Your annual license? $50K per location.

Cold email fleet managers at mid-sized regional rental companies (the big guys have internal teams, but the 50-car operations don’t).

Example: A fleet management consultant in Toronto, Canada pitched this exact solution to 3 local rental companies in January 2026. Two said no. One said yes. $35K annual contract. Took him 6 emails and one in-person demo. He doesn’t even do the wipes — he subcontracts to a local mechanic for $80/car and charges the rental company $150/car.

Timeline: 2-3 weeks to build pitch deck + demo video, 4-6 weeks cold outreach, first contract within 2-3 months

Local news stations love “your car is spying on you” segments. It’s visual, scary, and affects everyone.

Package this research into a ready-to-film investigative kit: sample ECU data, expert quotes, step-by-step demo instructions, even a script.

Charge $500-2000 per station (they have budget for this stuff). Hit every local NBC/ABC/FOX affiliate in mid-sized cities.

Bonus: offer yourself as the “tech expert” for on-camera interview ($300-500 per appearance).

Example: A privacy researcher in Phoenix, Arizona did this in March 2026. Sent pitch kits to 12 local stations across Arizona, New Mexico, Nevada. 4 responded. 3 aired the segment. He made $6,800 in kit sales + $1,500 in appearance fees. Took him 9 days total (3 days to build the kit, 6 days of email follow-up).

Timeline: 1 week to package the research kit, 2-3 weeks pitching stations, first segment airs within 4-6 weeks