Romain Marchand, a researcher at Paris-based security firm Quarkslab, bought a wrecked BYD Seal’s TCU from a salvage yard in Poland through an online marketplace.

He cracked open the unit, pulled out the memory chip (a Micron multi-chip package), and dumped the file system. What he found:

• GPS coordinates covering the car’s ENTIRE life — factory in China → driving around the UK → final crash in Poland
• System configuration logs and vehicle event data
• Zero encryption on any of it

The dude literally cross-referenced GPS clusters with Facebook and found the actual car accident post. That’s how precise the data was.

Look, before anyone says “well don’t buy Chinese cars then” — Marchand straight up said the TCU hardware architecture is “broadly similar to what can be found in other brands.” This ain’t a BYD problem. This is a CARS problem.

• Poland already banned Chinese vehicles from military facilities (February 2026) over location/video/audio collection fears
• Australia’s Signals Directorate recommends disabling data sharing where possible (good luck finding that setting)
• A 2021 BarbHack demo showed someone pulling two-factor authentication codes and text messages from a car’s network
• Leasing and rental companies are sitting on a goldmine of unwiped customer data

Here’s the thing. Every car made in the last 5-6 years has one of these TCUs. When you:

• Sell your car → the new owner (or the dealer) has your GPS history
• Trade it in → the dealership has everywhere you’ve been
• Wreck it → the junkyard, the insurance company, or some random buyer on a Polish marketplace has your movement data
• Lease return → the leasing company has a complete map of your life

And that “factory reset” button in your infotainment? Marchand says it doesn’t fully wipe NAND storage. File traces survive. Your data is still in there.

Real talk: the car industry has had YEARS to fix this. Encrypt the damn storage. Wipe it on transfer. But they didn’t — because the data is worth money to them.

The OAIC (Australia’s privacy watchdog) notes that location data creates “detailed movement profiles” that pose “serious threats to an individual’s privacy and safety.” And nobody’s forcing manufacturers to change.

Meanwhile, the extent of what gets sent back to the car maker versus what stays on the local chip? Still unclear. Nobody’s talking.

Look, every salvage yard in the world is sitting on thousands of cars with unwiped TCUs. Each one contains GPS histories, system logs, and potentially synced phone data. The play? Buy TCUs in bulk from junkyards (they go for $20-50 each), extract the data ethically, and sell aggregate movement pattern reports to urban planning firms, real estate analysts, and logistics companies. No personal data — just anonymized traffic flows. Cities pay $10K+ for this kind of data from official sources.

Example: A 26-year-old hardware tinkerer in Kraków buys 40 TCUs from a local salvage yard at $30 each. Extracts GPS route data, strips all personal identifiers, builds a heat map of real driving patterns for a specific Polish city. Sells the anonymized dataset to a parking lot developer for $4,200.

Timeline: First extraction within 3 days of learning the process. First sale in 2-3 weeks. Runs dry when manufacturers start encrypting (give it 18-24 months).

Nobody offers this. Literally nobody. Dealerships don’t do it. Manufacturers pretend factory reset works. The play: offer a certified data destruction service for car sellers, leasing companies, and fleet managers. Show up with a laptop and a toolkit, pull the TCU, do a proper NAND wipe (or physical destruction of the chip), hand them a certificate. Charge $150-300 per vehicle. Fleet companies with 500+ cars? That’s a $75K contract.

Example: A 31-year-old IT tech in Manchester partners with 3 used car dealerships. Offers to wipe every trade-in for £120/car. Does 8-12 cars per week. That’s £960-1,440/week ($1,200-1,800) for a few hours of work using open-source forensic tools like Autopsy.

Timeline: First paying client within 1 week of cold-calling dealerships. Scales fast with fleet contracts. This market only grows as privacy laws tighten.

Rental companies are TERRIFIED of liability right now. They return cars with previous renters’ GPS data, synced contacts, call logs — and they know GDPR (Europe’s privacy law) fines can hit 4% of global revenue. The play: position yourself as a rental fleet data compliance auditor. Offer to audit 10 cars for free, show them exactly what data you found, then sign them for monthly sweeps. Rental companies operate on razor-thin margins and will pay to avoid a single lawsuit.

Example: A 28-year-old cybersecurity student in Lisbon audits 10 cars from a local Europcar franchise. Finds GPS logs, 3 synced phone contacts, and a saved Wi-Fi password in one vehicle. Shows the franchise manager. Gets hired for monthly sweeps at €2,000/month across their 200-car fleet.

Timeline: Free audit gets you in the door within 1 week. Paid contract within 2-3 weeks. Scales by hitting every rental franchise in your city. Patch risk: low — this is a compliance need, not a loophole.

Insurance fraud costs the industry $308 billion globally per year. And now there’s a new way to verify claims. Someone says they crashed at Location X on Date Y? The TCU logs tell the real story. The play: build a micro-consultancy that helps insurance adjusters verify accident claims by extracting TCU data from wrecked vehicles. This is the picks-and-shovels play — you’re not doing fraud, you’re CATCHING it. Insurance companies will pay $500-2,000 per investigation.

Example: A 34-year-old forensic tech in São Paulo partners with 2 local insurance adjusters. Gets called in on suspicious claims — extracts TCU data showing the car was actually 200km from the reported accident site. Saves the insurer $45,000 on a single fraudulent claim. Gets retained at $3,000/month.

Timeline: First case within 2-3 weeks of networking with adjusters. Steady income by month 2. This is a long-term play — insurance fraud isn’t going anywhere.

(Not actual stalking — stay with me.) Used car buyers want to know if the car they’re buying was actually driven gently by a grandma or thrashed by a teenager. Odometer fraud is a $1 billion problem. The play: offer a “True History” report by pulling TCU data from cars before purchase. GPS logs show real mileage patterns, driving locations (highway vs city), and whether the car spent time in flood zones or extreme climates. Charge $75-150 per report. This is basically Carfax but with ACTUAL data instead of whatever dealerships feel like reporting.

Example: A 22-year-old electronics hobbyist in Warsaw starts offering “digital history checks” at a local used car market. Pulls TCU data showing a car advertised as “80,000 km, city driven” actually logged 140,000 km of highway routes across 3 countries. Buyer walks away. Word spreads. Now doing 15-20 reports per weekend at 300 PLN ($75) each. That’s $1,125-1,500/weekend.

Timeline: First report within days. Weekend income within 2 weeks. Scales by partnering with used car forums and Facebook marketplace groups. Long runway — used car sales aren’t slowing down.