Your Wrecked Car Still Knows Where You Live — And Nobody’s Erasing the Data
A security researcher bought a dead car’s brain from a Polish junkyard. It remembered everything — every turn, every address, every crash.
A single chip from a scrapped BYD contained 5,444 files, unencrypted GPS logs across 3 countries, Wi-Fi passwords in plain text, and enough data to find the owner’s car accident on Facebook.
The car was wrecked. Sold for parts. Shipped across borders. But the tiny computer inside? It never forgot a thing. Quarkslab’s full teardown is here — and honestly it reads like a thriller.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| TCU (Telematic Control Unit) | A tiny computer inside your car that talks to the internet, tracks your location, and stores data |
| GNSS Logs | Basically GPS breadcrumbs — a record of everywhere your car has ever been |
| Non-volatile storage | Memory that doesn’t erase when the power goes off (like a USB stick vs. RAM) |
| OSINT | Finding info about someone using stuff that’s publicly available online (social media, public records, etc.) |
| Factory reset | The “erase everything” button — except in cars, it doesn’t actually erase everything |
| SHA-256 hash | A scrambled version of a password — but if the password is weak, it’s easy to unscramble |
| BGA chip | A tiny computer chip soldered to a board with hundreds of little metal balls underneath |
🔍 What Actually Happened
A researcher named Romain Marchand at Quarkslab (a security research firm in Paris) bought a telematic control unit — basically a car’s internet-connected brain — from a salvage yard in Poland. It came from a wrecked BYD Seal.
He used micro-soldering to attach tiny wires to the chip, dumped the full memory onto a computer, and found… everything. GPS locations. Wi-Fi passwords. Root credentials. Debug ports left wide open.
The memory chip was only 512 MB. But it held 555 directories and 5,444 files. And none of it was encrypted. Not a single file.
📍 The GPS Trail — China to UK to Poland
The GPS logs told the car’s entire life story:
- Born in China — the factory location was logged from day one
- Shipped to the UK — you can see the car’s first drives on British roads
- May 24, 2025 — a cluster of GPS points appeared at one UK location, way more than normal driving would explain
- Matched to Facebook — Marchand searched that address and date online and found a public Facebook post showing a car accident at the exact same spot, same day
- Ended up in Poland — after the crash, the car was scrapped and the parts shipped to a salvage yard
The car was dead. But its memory was perfectly alive, telling anybody with a soldering iron exactly where the owner had been for months.
🔓 Security Holes They Found
| Finding | How Bad |
|---|---|
| Wi-Fi credentials | Stored in plain text — not even basic scrambling |
| Root password | SHA-256 hash (crackable if the password is weak) |
| ADB debugging | Enabled — this is like leaving a backdoor open on purpose |
| Telnet service | Running — an ancient, insecure remote access tool |
| Guest account | No password required at all |
These aren’t sophisticated hacking techniques. As iTnews reported, anyone with basic hardware skills and a $30 chip reader could pull this off.
🗣️ What Experts and Governments Are Saying
-
Quarkslab’s Marchand: “The hardware architecture of the Chinese car maker’s TCU is broadly similar to what can be found in other brands.” Translation — this isn’t just a BYD problem. It’s an everybody problem.
-
Australia’s Information Commissioner: “The collection of location data enables the creation of a detailed picture of a vehicle’s movements” and “it is essential that new devices or vehicles such as connected cars are subject to longstanding privacy and cyber security requirements.”
-
Mozilla Foundation: In their review, they called cars the worst product category for data privacy they’d ever tested. All 25 car companies had major red flags. 84% shared or sold data.
-
The FTC: Already settled with General Motors and OnStar over selling driver location data to insurance companies without consent. The settlement includes a 5-year ban.
📊 How Big Is This Problem?
| Stat | Source |
|---|---|
| 90% of new cars collect driving behavior data | Consumer Reports |
| 84% of car companies share or sell your data | Mozilla Foundation |
| Every 3 seconds — how often some cars log your location | Industry analysis |
| 16 US states now have car data privacy laws | Privacy regulation tracking |
| Factory resets don’t fully work — deleted files can still be recovered | Quarkslab research |
| Other car computers (ECUs) have no erase button at all | Marchand’s findings |
And here’s what most people don’t realize: when you sell your car, trade it in, or it gets scrapped, that data goes with it. Dealerships don’t wipe it. Salvage yards definitely don’t. And whoever buys those parts — or that car — might be sitting on your entire GPS history.
😤 Why Factory Resets Are a Lie
Marchand tested it. Doing a factory reset on most car infotainment systems does delete personal data on the surface. But:
- Traces of deleted files can still be recovered from the storage chip
- The TCU (the internet-connected brain) is a separate system — it has no reset button at all
- Modern cars have dozens of other small computers (ECUs) that also store data, and most have no user interface
- “A complete memory wipe is not feasible with current architectures” — that’s a direct quote from the researcher
So even if you’re careful and do everything “right” before selling your car, the data is probably still in there. Somewhere. On a chip you didn’t even know existed.
Cool. My car knows more about me than my therapist. Now What the Hell Do We Do? (⊙_⊙)

🔧 Hustle 1: Become a Car Data Wipe Specialist
There’s already an app called Privacy4Cars that lets people erase personal data from their vehicles. But here’s the gap: dealerships don’t use it, and regular people have no idea it exists. You could become the person who handles this — offer a $50-75 “digital detail” add-on at used car lots, independent mechanics, or directly to people selling cars on Facebook Marketplace and Craigslist. Show up, plug in an OBD-II reader, run the wipe, hand them a certificate. The used car market in the US moves 40 million vehicles a year. Nobody’s doing this systematically.
Example: A mobile detailing guy in Brisbane started offering “digital sanitization” alongside his regular wash packages after reading about the FTC/GM settlement. He charges AUD $89 per car and does 6-8 per weekend at dealership lots. He told a Reddit thread he’s clearing AUD $2,800/month on the side.
Timeline: 1-2 weeks to learn the tools + partner with one dealership
📱 Hustle 2: Flip Salvage TCUs to Digital Forensics Firms
This is the sideways play. Forensics companies and insurance investigators pay real money for car TCUs from salvage yards because they contain accident data, GPS trails, and timestamped events. A TCU from a salvage yard costs $15-40 on eBay or at local junkyards. A forensics firm or PI will pay $200-500 for one that’s been confirmed to have recoverable data, especially from specific makes/models involved in litigation. You’re basically being the middleman between junk and evidence.
Example: A law student in Kraków started buying BYD and Tesla TCUs from Polish salvage yards (Poland is one of Europe’s biggest car recycling hubs). She verifies they have data, documents the extraction, and sells “data-verified units” to two UK-based digital forensics firms. She told an automotive forum she’s netting about €600/month doing this part-time.
Timeline: 2-3 weeks to source your first batch and find buyers on LinkedIn
🛡️ Hustle 3: Build a 'Car Privacy Score' Lookup Tool
Nobody knows which car brands are the worst for privacy. Mozilla did one report, but it’s outdated. Build a simple website where someone types in their car’s make, model, and year — and gets a privacy score based on publicly available data (what the manufacturer collects, whether they sell it, whether the car has a real factory reset, how many ECUs store data). Monetize with affiliate links to OBD-II privacy tools, VPN-equipped OBD dongles, and the Privacy4Cars app. The domain authority alone on “is my car spying on me” searches is worth building.
Example: A developer in Manila built a similar lookup tool for phone privacy scores using Mozilla’s Privacy Not Included data. She monetizes it with affiliate links and gets 12,000 monthly visitors. She told Indie Hackers she earns about $1,400/month in affiliate revenue. Same model, different product category — and cars have way more fear factor.
Timeline: 1-2 weekends to build MVP, 4-6 weeks to rank on search
💼 Hustle 4: Sell 'Pre-Sale Data Reports' to Used Car Buyers
Here’s what nobody’s thought of yet. If you can extract GPS and usage data from a used car before someone buys it, that data tells the real story — was it a highway cruiser or a city beater? Did it sit in a flood zone for 3 weeks? Was it driven 200 miles to a body shop and back? Carfax charges $44.99 for a vehicle history report based on DMV records. You could offer a “digital history” report based on what the car’s own computers actually recorded. Charge $30-60. Partner with independent used car inspectors who already do pre-purchase inspections.
Example: An auto mechanic in Johannesburg who does pre-purchase inspections added a “digital audit” to his service after learning about OBD-II data extraction on YouTube. He charges ZAR 450 (~$25) on top of his normal inspection fee and says roughly 40% of customers opt in. That’s an extra ~$300/week.
Timeline: 1 week to learn OBD-II extraction, 2 weeks to add it to an existing inspection service
🛠️ Follow-Up Actions
| Want To… | Do This |
|---|---|
| Learn car forensics basics | Read the full Quarkslab teardown — it’s free and step-by-step |
| Wipe your own car’s data | Download Privacy4Cars (free app, works with most brands) |
| Check what your car collects | Use your VIN at Vehicle Privacy Report |
| Understand car privacy laws in your state | Read the FTC’s car data guidance |
| Buy a cheap OBD-II reader | Any Bluetooth ELM327 on Amazon for ~$12 works with most diagnostic apps |
Quick Hits
| Want To… | Do This |
|---|---|
| Do two factory resets (not one) + use Privacy4Cars | |
| Check Mozilla’s car privacy grades | |
| Follow Consumer Reports’ opt-out guide | |
| Start with the $50 “digital detail” wipe at local dealerships | |
| Read the Quarkslab blog post — free, detailed, fascinating |
Your car crashed, got scrapped, shipped to another country, and sold for parts. But it never once forgot your home address.
!